mirror of
https://github.com/we-promise/sure.git
synced 2026-07-12 04:45:19 +00:00
2d3d9744664b8dffa1e95d5ac69eba2ee3316fca
2831 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
2d3d974466 |
fix(ds): canonical separators and destructive tokens in usage/rules tables (#2332)
The LLM usage table (Settings → AI usage) and the rules recent-runs table used hardcoded color classes instead of design-system tokens: - `divide-gray-100` separators — a fixed light gray with no dark-theme variant, so the row dividers render wrong in dark mode. - Raw reds for failed rows (`bg-red-50`/`bg-red-950`, `text-red-500/600`). Swap to the canonical tokens used by every other table (settings/debugs, admin/users, …): - divide-gray-100 -> divide-alpha-black-200 theme-dark:divide-alpha-white-200 - bg-red-50 / bg-red-950/30 -> bg-red-tint-5 / bg-red-tint-10 - text-red-* -> text-destructive (via the icon helper's color: param) Token-only; no structural or behavior change. Co-authored-by: Guillem Arias <guillem.arias@col.vueling.com> |
||
|
|
89eb441145 | fix(sync): discover nightly provider items reflectively (#2334) | ||
|
|
8dd789e641 |
chore(i18n): remove dead transfers.form.* exchange-rate keys (#2293)
The transfer and transaction forms render the exchange-rate tab UI via shared.exchange_rate_tabs.* exclusively, so transfers.form.calculate_rate_tab, convert_tab, exchange_rate, and exchange_rate_help are never looked up. Remove these four dead keys from every locale file that carries them (en, fr, es, ca, hu, vi). The live siblings (exchange_rate_display, destination_amount, etc.) are left intact. No view or code references change. Fixes #1508 |
||
|
|
51c826ca2c | Bump versions by hand | ||
|
|
2e384eb833 |
fix(ds): shrink dialog close button to size sm (#2309)
The dialog close button rendered as a :md icon button (44x44px with a 20px glyph) — noticeably larger than the dialog's own action buttons (36px tall) and visually heavy next to the title. Pass size: :sm so the close control is 32x32px with a 16px glyph, matching the action row's weight. 32px still clears the WCAG 2.5.8 (AA) 24px minimum target. |
||
|
|
b0b0dc866d |
chore(deps): bump css_parser from 1.21.1 to 1.22.0 (#2336)
Bumps [css_parser](https://github.com/premailer/css_parser) from 1.21.1 to 1.22.0. - [Changelog](https://github.com/premailer/css_parser/blob/master/CHANGELOG.md) - [Commits](https://github.com/premailer/css_parser/compare/v1.21.1...v1.22.0) --- updated-dependencies: - dependency-name: css_parser dependency-version: 1.22.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
5d9367f33a |
chore(deps): bump yard from 0.9.37 to 0.9.42 (#2335)
Bumps [yard](https://yardoc.org) from 0.9.37 to 0.9.42. --- updated-dependencies: - dependency-name: yard dependency-version: 0.9.42 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
|
5937195df0 |
fix(chat): clear assistant bubble on destroy so the chat doesn't hang on Thinking (#2315)
* fix(chat): clear the assistant message bubble when a turn is destroyed When an assistant turn fails before any text streams (e.g. a provider auth/model/network error on the first call), Assistant::Builtin#respond_to destroys the still-pending message. Message only broadcast on create and update, never on destroy, so the rendered 'Thinking…' bubble was never removed — the chat appeared stuck thinking forever even though the job had already errored (and appended an error via chat#add_error below it). Add after_destroy_commit broadcast_remove_to so a destroyed message is removed from the page. * refactor(chat): trim destroy-broadcast comment to one line Project convention asks for comments only when the why is non-obvious; the behaviour is already covered by the commit/PR description. Per review feedback. --------- Co-authored-by: Guillem Arias <guillem.arias@col.vueling.com> |
||
|
|
5608f2b3fa |
fix(settings): give the MCP copy button success feedback (#2314)
* fix(settings): give the MCP copy button success feedback The MCP server URL Copy button copied to the clipboard but showed no feedback. It is a DS::Button (single icon), but clipboard_controller's showSuccess() unconditionally toggled iconDefault/iconSuccess targets — which that markup does not have — so it threw right after the copy and the user saw nothing. Guard the icon-swap path (still used by invite codes, MFA and profiles) and add a fallback that briefly flips the button's own label to Copied! via a new copiedText value. Wire it up on the MCP page. * fix(settings): capture copy button before async clipboard resolve event.currentTarget is null by the time the writeText().then() callback runs (it's only valid during event dispatch), so showSuccess received null and the label never flipped. Capture the button synchronously in copy() and pass it through. Verified in-browser: Copy -> Copied! -> Copy. * refactor(clipboard): unify feedback reset delay, harden label lookup Extract a shared RESET_DELAY_MS so the icon-swap and label-flash paths last the same duration when both copy buttons render on one page. Scope the label lookup to span.truncate (the DS::Button text node) so it ignores any future icon span. Per review feedback. --------- Co-authored-by: Guillem Arias <guillem.arias@col.vueling.com> |
||
|
|
635938ec7b |
fix(ds): normalize legacy tooltip spacing to one recipe (#2311)
The four inline (non-DS::Tooltip) tooltips had drifted: three used p-2 rounded w-64, one used p-3 rounded w-72 with shadow-lg, and all used rounded (4px) where DS::Tooltip uses rounded-md (6px). Unify them on p-2 rounded-md w-64 — radius now matches DS::Tooltip and the lone p-3/w-72/shadow-lg outlier is gone, so the dark tooltips read consistently. |
||
|
|
84547f766c |
fix(dashboard): align sankey zoom-out button with section header (#2313)
The cashflow sankey zoom-out button sat in a bare flex justify-start row. Because the dashboard section body has no horizontal padding (just py-4), the button rendered flush against the card's left edge — 16px left of the section header title and out of line with the rest of the widget. Add px-4 to the button row so it aligns with the header, matching the _net_worth_chart widget's px-4 header row. |
||
|
|
215864fdd9 |
fix(dashboard): apply two-column layout at xl, not 2xl (#2310)
The dashboard two-column layout preference only added 2xl:grid-cols-2 (>=1536px), but the setting copy promises two columns on large screens. On any display narrower than 1536px (most laptops, ~1280-1440px) the toggle did nothing. Lower the breakpoint to xl (>=1280px) so it engages on the screens users actually have while keeping widgets wide enough to stay usable. |
||
|
|
6ebead4690 | Bump version by hand | ||
|
|
bc0dcdd41b |
fix(ds): neutral text for goals status callout (#2312)
The goals status callout colored its entire body (icon, label and context) with text-warning / text-success / text-secondary, so a behind goal rendered as all-yellow text. That diverges from the DS::Alert recipe, where tinted boxes keep neutral body text (text-primary) and only the icon carries the status color. Drop the text-* tokens from the container, add text-primary, and move the warning/success color onto the icon via color:. |
||
|
|
88343002d1 |
chore(deps): upgrade Rails 7.2 → 8.1 (#2301)
* chore(deps): upgrade Rails 7.2 → 8.1 Rails 7.2 reaches end of life on 2026-08-09. Bump the framework to the current 8.1.x line. - Gemfile: rails "~> 8.0" (resolves 8.1.3); bundle update rails pulls the Rails 8 framework gems plus the bumps it requires — ViewComponent 3.23 → 4.x (Rails 8 support), rails-i18n 7 → 8, rswag, and transitive deps. - app/models/transfer.rb: make Transfer#date nil-safe (inflow_transaction&.entry&.date). Rails 8's date_field evaluates the field default on a new/unpersisted Transfer (the new-transfer form), where the association is nil; without this, TransfersController#new raises "undefined method 'entry' for nil". Matches the &. pattern already used in Transfer#sync_account_later. Framework behavioral defaults are unchanged (config.load_defaults stays as-is). Validated on Rails 8.1.3: zeitwerk:check passes, full suite green (4904 runs, 0 failures, 0 errors), rubocop and brakeman clean. * fix(rails8): style textarea + deterministic property edit system test The Rails 8 gem bump kept config.load_defaults at 7.2, but Rails 8 renamed two ActionView::Helpers::FormBuilder field helpers regardless of defaults: :text_area → :textarea and :check_box → :checkbox. StyledFormBuilder builds its styled helpers from `field_helpers`, so `form.text_area` (e.g. the account "Notes" field) silently fell through to the unstyled base helper and rendered without a label — failing 8 system tests with `Unable to find field "Notes"`. - app/helpers/styled_form_builder.rb: exclude both spellings of the non-text helpers (:check_box and :checkbox) and alias the legacy `text_area` to the Rails 8 `textarea` so existing call sites stay styled. Harmless on Rails 7.2 (old names present instead). - test/system/property_test.rb: open the property edit dialog via the account menu with a retry. The account page issues a Turbo morph refresh shortly after load (turbo_refreshes_with :morph + a family-stream broadcast); opening the modal while that refresh is in flight let the morph re-render the page and wipe the just-loaded #modal turbo-frame. Rails 8 timing made the race deterministic. Retrying once the refresh has settled makes the test stable (confirmed via Turbo frame-load vs full-page morph event traces; 3x green in isolation). - config/brakeman.ignore: the added comment block shifted the pre-existing (already-ignored, Weak) class_eval Dangerous Eval warning from line 5 -> 10, changing its fingerprint. Re-point the existing suppression to the new fingerprint/line so scan_ruby stays green. Validated on Rails 8.1.3: full system suite green (92 runs, 355 assertions, 0 failures, 0 errors), rubocop clean, brakeman 0 warnings, CodeRabbit no findings. * chore(deps): pin rails to the 8.1 minor line (~> 8.1.0) Tighten the constraint from `~> 8.0` to `~> 8.1.0` (>= 8.1.0, < 8.2) so a future `bundle update rails` tracks the 8.1.x line rather than silently jumping to 8.2 when it ships. Matches the upgrade plan's stated intent (target 8.1.x for the EOL runway) and a review note on #2301. No resolved-version changes: bundle install keeps rails at 8.1.3 and every other locked gem unchanged — only the Gemfile.lock DEPENDENCIES constraint line moves. zeitwerk:check still passes; the already-green unit/system suites ran on this exact resolved tree. * chore(rails8): adopt Rails 8.1 framework defaults (config.load_defaults 8.1) The gem bump above kept config.load_defaults at 7.2 so the change set could be reasoned about in stages; this finalizes the upgrade by adopting the modern framework defaults now that the suite is green on Rails 8.1. Rails 8.0 added no new framework defaults (there is no new_framework_defaults_8_0 template), so 7.2 -> 8.1 is the single meaningful step. No incremental new_framework_defaults_8_1.rb opt-in file is needed: the full suites pass with all 8.1 defaults enabled at once. The 8.1 defaults this turns on include action_on_path_relative_redirect=:raise (open-redirect hardening), raise_on_missing_required_finder_order_columns, escape_json_responses=false / escape_js_separators_in_json=false (JSON perf), and Ruby-parser template-dependency tracking. Validated with no application code changes: bin/rails test 4904/0/0, bin/rails test:system 92/0/0, rubocop + brakeman clean. * chore(ci): restore brakeman CheckEOLRails now that the app is on Rails 8.1 config/brakeman.yml existed only to skip brakeman's CheckEOLRails. That check fires on the calendar (it warns 60 days before a framework's EOL and escalates as the date nears), so Rails 7.2's 2026-08-09 EOL turned `bin/brakeman` red (exit 3) on every branch and on main regardless of the diff. The skip carried a TODO to remove it once Sure upgraded off 7.2. This PR puts the app on Rails 8.1 (EOL well in the future), so the skip is obsolete; remove the file (its sole content was the skip) in the same change that makes it unnecessary -- no stale-config window. brakeman auto-loads the file when present and falls back to defaults when absent, and nothing references it explicitly. CheckEOLRuby was already enabled and is unchanged; config/brakeman.ignore is untouched. Validated on Rails 8.1: bin/brakeman runs EOLRails + EOLRuby, 0 warnings, 0 errors, exit 0. |
||
|
|
e38632632c |
feat(mobile): standardize money typography and semantic amount color (#2331)
* feat(mobile): standardize money typography and semantic amount color Add a brightness-aware SureColors theme extension and a MoneyText/SureMoney primitive (semantic success/destructive/subdued tokens + tabular figures for column-aligned digits), then migrate the transaction lists and balance cards off raw Colors.green/red/grey. Step 2 of the mobile design-system sequence (#2235), after #2237's theme foundation. Primitive-first: screens consume shared tokens/typography. * fix: review feedback — brightness-aware token fallback, de-flake Setting tests, Pipelock localhost FP - SureColors.of falls back to the palette matching the active brightness (not always light) when the extension is missing, so dark surfaces stay correct. - Clear the rails-settings-cached cache before each test; its in-memory cache survives the per-test transaction rollback, leaking Setting.* across tests and flaking Settings::HostingsControllerTest (stale empty string vs nil). Full unit suite: 4952 runs, 0 failures. - Suppress the localhost test-DB DATABASE_URL false positive with line-level `# pipelock:ignore` in ci.yml + llm-evals.yml instead of excluding whole files, so those workflows stay scanned for real secrets. |
||
|
|
c701479aee |
fix(ds): goals — uniform New-goal -> grid gap (mb-3 -> mb-4) (#2288)
The New-goal action row used mb-3 while the search row below it uses mb-4. When search is hidden, the New-goal row is the last element before the grid, so the gap-to-grid was mb-3; with search it was mb-4 -- inconsistent depending on state. Bump to mb-4 so the gap is uniform either way. (Audit Group-2 spacing: the other candidates did not hold up on inspection -- providers already has a space-y-4 gap, budgets' 'doubled' gap is correct sequential spacing for 3 elements, dashboard's empty-state gap is unverifiable without an account-less family. So this is the only real one.) |
||
|
|
007f84db1a |
refactor(settings): debugs page onto settings_section (#2289)
Consolidate the bespoke header card + filter card into one settings_section (title + subtitle) -- the canonical surface + an h2 (was a second <h1 font-semibold> below the layout's page-title h1, a heading-level + weight break). The log table stays an edge-to-edge bg-container card on purpose (settings_section's p-4 would inset it and float the thead). Left as follow-ups: the filter inputs' 10x repeated class strings (shared partial) and the bespoke empty state -> DS::EmptyState (needs #2143 on main). Page is super-admin-gated (Admin::BaseController), not renderable in the demo; verified via erb_lint + headless ERB compile + no-stray-markup grep. |
||
|
|
a249f9bda0 |
fix(ds): route mercury/ibkr provider panels onto sibling tokens (#2290)
Two literal-color outliers in app/views/settings/providers/, both fixed by matching the sibling panels in the same directory: - _mercury_panel: the per-item initial avatar used bg-blue-600/10 + text-blue-600. Every other settings/providers panel renders this generic avatar neutral (akahu/brex use bg-surface|bg-container-inset + text-primary). The literal blue was also a dark-mode contrast risk. -> bg-surface + text-primary. - _ibkr_panel: the 'not configured' status dot used a literal bg-gray-400 while the sibling brex panel's equivalent dot uses the bg-surface-inset token (paired with bg-success for the configured state). -> bg-surface-inset. Token-only swaps, theme-safe, no layout change. |
||
|
|
a9a855d794 |
Fix Railway deployment link in README
Updated the Railway deployment link in the README. Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> |
||
|
|
64b4c0fee4 |
Add support for dividend, deposit, withdrawal, and interest trade types to Trades API (#1761)
* Update trades api with support for additional types * rubocop fixes * fix missing amount validation for interest type * define missing schema reference * fix test api_headers to use display_key per guidelines * expand test coverage * replaced duplicate JSON response blocks with helper method * Add DB assertions to linked transfer test and fix invalid date test * update brakeman.ignore fingerpint for refactored code * Update the Brakeman ignore note to document validation for newly permitted keys * fix API key auth in Minitest test to follow correct pattern * update required in trades rswag spec to match the minimum fields that apply to all types * extract dividend handling from build_investment_trade_params to dedicated method * adjust response format to use the existing jbuilder views for Transfers and Transactions * normalize type before passing to create form * validate amount as a positive numeric value + tests * rubocop fixes * Add missing Trades API test coverage and docs - Add Minitest tests for withdrawal (422, transfer linking), interest (explicit ticker), and dividend update - Add rswag 401/403/404/422 response docs for create, update, destroy - Regenerate docs/api/openapi.yaml * Update Security.find line reference in brakeman.ignore note * Mark TransactionResponse account_type as nullable in rswag docs |
||
|
|
f7c633ef20 |
fix(preview): bind :3000 instantly and bound diagnostics posts (#2286)
* fix(preview): bind :3000 instantly and bound diagnostics posts The trusted preview deploy chain now succeeds end to end (after #2124, #2207, #2217), but the preview container itself dies on Cloudflare with "Container crashed while checking for ports" and no entrypoint diagnostics ever arrive (run 27186150190). Two compounding causes, both reproduced/measured locally against the pinned @cloudflare/containers 0.3.3 behavior: 1. The port window is unwinnable. The library waits a hardcoded ~20s for the container port, but the entrypoint only binds :3000 after redis, postgres, and rails db:prepare complete -- measured at 69s under a basic instance's 1/4 vCPU. Fix: bind :3000 within ~1s via a tiny Ruby placeholder responder (static 503 + meta-refresh, input ignored), verified with a TCP connect poll, and released just before the real server starts. The worker still gates previewReady on the real Rails /up probe and sample data, so readiness semantics are unchanged. 2. Diagnostics could stall boot and never deliver. emit_status used curl with no timeout against the worker, whose Durable Object can be unresponsive while it waits for this container's port (observed as 15s status timeouts in the failed run) -- so boot could deadlock against the port check, and failure detail (#2217) never reached the diagnostics artifact. Fix: --connect-timeout 2 --max-time 5 on all posts, progress events fire-and-forget in the background, and failure paths flush synchronously before exit. Validated locally at Cloudflare basic limits (1 GiB / 0.25 vCPU): first :3000 response in 1s, full boot to Rails /up=200 at ~76s with no OOM, and a forced postgres failure exits 1 in 4s with the failure event flushed. With the port window satisfied, the next real failure will finally surface postgres detail in _container_status and CI artifacts. * fix(preview): never read from placeholder clients Superagent flagged on PR #2286 that the single-threaded :3000 placeholder blocked on client.readpartial, so one connection that sends nothing -- such as a bare TCP port probe, which is exactly what the Cloudflare port check performs -- would wedge the accept loop and starve every later probe. The response is static, so drop the read entirely: each connection is written the 503 warming page and closed immediately, making the loop effectively non-blocking per client. Regression-tested by holding three idle TCP connections open while HTTP probes still answered 503 immediately; full boot under basic-instance limits (1 GiB / 0.25 vCPU) still reaches Rails /up=200 with the placeholder answering at 1s. * fix(preview): stop postgres crashing on Cloudflare's small /dev/shm This is the actual root cause of the preview container dying on Cloudflare with "Container crashed while checking for ports" (run 27341808838) and the maintainer's "dies immediately after postgres-start" (#2217). Reproduced locally: running the preview image with a tiny /dev/shm and a WRITABLE root (the realistic Cloudflare model) crashes postgres on startup with: FATAL: could not resize shared memory segment "/PostgreSQL..." to 1048576 bytes: No space left on device PostgreSQL 17 defaults to dynamic_shared_memory_type = posix, which allocates dynamic shared memory in /dev/shm. Cloudflare Containers provide only a tiny /dev/shm, so postgres FATALs before the entrypoint can bind a port, and the container exits -> the supervisor reports it crashed during the port check. Local Docker hid this because its default /dev/shm is 64MB. Memory was ruled out (boots fine at -m 512m); it is specifically /dev/shm. Fix: set dynamic_shared_memory_type = mmap so DSM is file-backed in the data directory instead of /dev/shm. The build comments out the default posix line, appends mmap, verifies the result, and fails hard if postgresql.conf is missing so this critical setting cannot silently regress. Also log fail_preview reasons to stderr so the real failure is captured by Cloudflare container observability even when the HTTP diagnostics channel is blocked by the worker's port wait. Verified at Cloudflare basic-equivalent limits (1 GiB / 0.25 vCPU, /dev/shm 64k): before, exit 1 right after "Starting PostgreSQL..."; after, "PostgreSQL is ready" -> Rails /up=200 (~97s), placeholder answering :3000 within 1s. Normal-resource boot still reaches /up=200 in ~9s. * fix(preview): use standard-1 instance and widen CI readiness poll Two changes the preview needs to actually deploy and be reported ready on Cloudflare, both validated by deploying to a real CF account. - instance_type basic -> standard-1. The container runs postgres + redis + puma AND generates the full demo dataset (Demo::Generator, ~12 years of transactions), which peaks just over basic's 1 GiB and OOM-kills the container (exit 137) before demo-data-ready. standard-1 (1/2 vCPU, 4 GiB) completes it. Measured on real Cloudflare: rails ready ~46s, demo data ~149s, peak well under 4 GiB, no OOM. - "Collect preview diagnostics" poll budget 40 -> 100 (~128s -> ~350s), with the matching guard in bin/preview_deploy_security_check.rb. A real CF standard-1 run reached previewReady at ~195s, so the old 40-poll budget would have failed a working preview before it finished warming up. The loop still breaks early on previewReady/previewFailed. * fix(preview): apply DSM override to the cluster the entrypoint starts The build selected postgresql.conf via `find ... | head -1`, which picks an arbitrary cluster, while the entrypoint starts the highest-version cluster (ls /etc/postgresql | sort -V | tail -1). Today only PG17 is installed so they coincide, but if a second major version were ever present the override could land on a cluster that never runs, silently reintroducing the /dev/shm crash. Derive PG_CONF from the same highest-version cluster the entrypoint starts so the dynamic_shared_memory_type=mmap override always applies to the active cluster. Verified: build edits /etc/postgresql/17/main/postgresql.conf, and at runtime under a tiny /dev/shm postgres starts with SHOW dynamic_shared_memory_type = mmap. * fix(preview): apply pg_hba trust rules to the cluster the entrypoint starts Same latent issue as the dynamic_shared_memory_type override: the build wrote the local `trust` rules to `find ... | head -1` (arbitrary cluster), while the entrypoint starts the highest-version cluster. With a single PG17 they coincide, but a second major version would send the trust rules to a cluster that never runs, breaking the entrypoint's trust-auth db setup. Derive PG_HBA from the same highest-version cluster (ls /etc/postgresql | sort -V | tail -1) and fail the build if it's missing. Verified under a tiny /dev/shm: postgres starts and CREATE ROLE/CREATE DATABASE succeed via trust. |
||
|
|
d908560ed9 |
feat(cashflow): deep-link category labels to filtered transactions (#2083)
* feat(cashflow): deep-link category labels to filtered transactions Clicking a category's text label in the dashboard cashflow Sankey chart now navigates to the transactions page filtered by that category and the cashflow's active period date range. The colored node bar keeps its existing zoom-into-subcategories behavior; structural nodes (Cash Flow, Surplus) do not navigate. URL-building lives in a pure, unit-tested utils/transactions_filter_url module (mirroring utils/sankey_zoom) pinned in the importmap. Period dates are threaded from the dashboard view into the Stimulus controller via data values. This matches the existing donut chart's click-to-filter behavior. * Update app/javascript/controllers/sankey_chart_controller.js Co-authored-by: Guillem Arias Fauste <gariasf@proton.me> Signed-off-by: Will Wilson <will@willwilson.uk> --------- Signed-off-by: Will Wilson <will@willwilson.uk> Co-authored-by: Guillem Arias Fauste <gariasf@proton.me> |
||
|
|
749d54dd96 |
Fix Plaid sync failure for loan subtypes missing from Loan::SUBTYPES (#2298)
PlaidAccount::TypeMappable maps the Plaid loan subtypes "home equity",
"line of credit", and "business" to home_equity, line_of_credit, and
business — but Loan::SUBTYPES never defined them. Linking any such
account (e.g. a HELOC reported by the institution as loan/"line of
credit") makes the item's sync fail with:
Validation failed: Accountable subtype is not included in the list
and, because Link itself succeeded, the failure is silent in the UI
(same UX gap as #1792).
Add the three subtypes to Loan::SUBTYPES, and add a regression test
asserting every subtype emitted by TYPE_MAPPING is valid for its
accountable so the mapper and models can't drift apart again.
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
|
||
|
|
65efcbab59 | fix(mobile): regenerate Sure token destructive color (#2296) | ||
|
|
1157ea8f20 |
fix(sharing): scope import account selects to accessible_by (#1803) (#2194)
* fix(sharing): scope import account selects to accessible_by (#1803)
Three CSV / QIF account selects in import/uploads/show.html.erb and one
PDF-import account select in imports/_pdf_import.html.erb pulled their
options from `@import.family.accounts`. That listed every account in
the family — including the family admin's unshared personal accounts —
in the dropdown shown to any member running an import. Swap each call
site to `Current.user.accessible_accounts` (owned + explicitly shared
accounts only), matching the existing scoping used by the dashboard
sidebar, transactions controller, transfers controller, etc.
Adds a regression test that signs in as family_member and asserts the
unshared-account names from the dylan_family fixtures never appear in
the rendered upload page.
* test(import): scope leak assertions to account select (#2194 CodeRabbit)
CodeRabbit nitpick: assert_match on response.body could pass/fail on
text outside the account dropdown (sidebar, breadcrumb, error message,
etc.) and gave false confidence in the refute_match exclusions. Switch
to assert_select 'select[name="import[account_id]"] option', text: …
so the assertions only see the option nodes the leak test actually
cares about.
* test(import): cover PDF account-select scoping; pluck PDF partial (#2194 review)
jjmata: the _pdf_import.html.erb scoping change was not covered by the
existing test (which only hit /import/uploads). Add a regression test
hitting GET /imports/:id with a PdfImport fixture, asserting the
account dropdown options match accessible accounts only.
Also swap the PDF partial's accounts.map { |a| [a.name, a.id] } for
.pluck(:name, :id) to match the .pluck pattern the other three CSV/QIF
selects already use.
* test(import): stub pdf_uploaded? on PDF leak test (#2194 ci)
The new regression test hit ImportsController#show which redirects to
the upload page when @import.pdf_uploaded? is false. The pdf_with_rows
fixture has neither a pdf_file attached nor a statement, so the
redirect fired before the partial under test ever rendered, failing
with 302 in CI. Stub PdfImport#pdf_uploaded? to true so the test
exercises the account-select scoping path it was written to cover.
* fix(import): scope PDF form to :import so field names match (#2194 ci)
The PDF-import account-select form was `form_with model: import` with
no explicit scope. Because the model is a PdfImport, Rails derived the
param namespace from the class name, so the rendered field was named
`pdf_import[account_id]` — not `import[account_id]`. The
ImportsController#update action accepts either via
`params.dig(:pdf_import, :account_id) || params.dig(:import,
:account_id)` so live submissions still worked, but the regression
test added in
|
||
|
|
0e1b3f8396 |
fix(enable-banking): tolerate any 422 on PDNG fetch (#1805) (#1889)
* fix(enable-banking): tolerate any 422 on PDNG fetch (#1805) * fix(enable-banking): fall back to string key when reading PDNG error |
||
|
|
2075c8c41c |
feat(mcp): OAuth 2.1 auth for MCP — connect Claude.ai with your Sure login (#2234)
* feat(mcp): add OAuth well-known discovery endpoints (RFC 8414 + RFC 9728) Serves /.well-known/oauth-protected-resource (RFC 9728) and /.well-known/oauth-authorization-server (RFC 8414) so MCP clients can auto-discover the authorization server. Both endpoints are unauthenticated and respect APP_URL for reverse-proxy deployments. * feat(mcp): add dynamic client registration endpoint (RFC 7591) POST /register creates a public Doorkeeper::Application on demand so MCP clients (e.g. Claude.ai) can self-register without manual setup. Validates redirect_uris (including blank entries), falls back to "MCP Client" name, returns no client_secret (public client, PKCE only). Rate-limited to 10 registrations/min/IP via Rack::Attack. * feat(mcp): authenticate via Doorkeeper OAuth2, keep MCP_API_TOKEN as fallback MCP endpoint now accepts OAuth2 Bearer tokens issued by Doorkeeper. Falls back to the existing MCP_API_TOKEN env-var flow so self-hosted deployments are not broken. Requires MCP_OAUTH_ENABLED or MCP_API_TOKEN to be set — the endpoint returns 503 otherwise. - OauthBase concern provides APP_URL-aware configured_base_url (trailing slash stripped to prevent double-slash URLs) - Bearer scheme parsed case-insensitively (RFC 7235) - Only read_write scope accepted — read scope would allow mutating tools (CreateGoal, ImportBankStatement), so read-only tokens are rejected - Deactivated users rejected even with a valid Doorkeeper token - WWW-Authenticate header on 401 points to RFC 9728 resource metadata - SHA-256 digest used for constant-time env-var comparison - Rack::Attack throttle added for POST /register - Routes wired: /.well-known/*, /register, use_doorkeeper * fix(mcp): disable Turbo on OAuth consent form for external redirect URIs Turbo was intercepting the authorization form POST and XHR-fetching the redirect_uri (e.g. https://claude.ai/api/mcp/auth_callback), which CORS blocks. Extend the existing turbo_disabled guard to cover any redirect_uri that doesn't originate from the app itself. * feat(mcp): add Settings::McpController with connected clients view - Settings > MCP page (under Advanced) shows the MCP server URL with copy button and step-by-step instructions for connecting Claude.ai - Lists active non-mobile OAuth tokens with app name and revoke action; mobile device tokens are excluded to prevent accidental disconnection - Removes the MCP_OAUTH_ENABLED env-var gate — OAuth auth is always available since Doorkeeper handles consent; MCP_API_TOKEN remains as a self-hosted fallback * fix(mcp): remove client_credentials from grant_types_supported metadata Only authorization_code is supported by the registration endpoint. Advertising client_credentials was misleading — a client that reads the metadata and attempts that flow would get an application with the wrong grant type. |
||
|
|
360989c3a9 |
feat(mobile): align theme foundation with Sure tokens (#2237)
* feat(mobile): align theme foundation with Sure tokens Generate typed Flutter token constants from the canonical Sure token JSON and route the app through shared light/dark ThemeData construction. This keeps the first mobile design-system step scoped to foundation wiring and regression tests without restyling screens directly. * fix(mobile): define Sure error container colors Populate the manual Flutter ColorScheme error container pair from Sure tokens so validation and connection banners keep visible icon/text contrast. Add theme assertions for both light and dark modes. * fix(mobile): preserve full-width action buttons |
||
|
|
59edcaa986 | fix: EODHD lookup for EU mutual funds with EUFUND exchange code (#2212) | ||
|
|
77dda53ffb |
feat(ds): one canonical focus ring across primitives (#2140)
* feat(ds): one canonical focus ring across primitives (#2136) Replaces the grab-bag of per-primitive focus indicators (neutral ring-alpha-black/white, outline-gray-900/white, faint form-field ring-4) with a single recipe — the #1737 accessibility follow-up. - New --color-focus-ring token: blue-600 (light) / blue-500 (dark), >=4:1 against both surfaces. - Canonical .focus-ring / .focus-ring-within in components.css: a 2px outline + 2px offset on :focus-visible only. Outline (not a box-shadow ring) so the offset gap is transparent on any surface with no layout shift; :focus-visible so it never shows for mouse/touch. - Applied to every focusable DS primitive: Button (had none), Link, Disclosure summary, Tabs nav, MenuItem (replaces the browser-default box), SearchInput, Tooltip trigger, Popover trigger, Select panel (focus-within), Toggle (peer-driven outline-focus-ring). .form-field adopts it via :focus-within, replacing the ~1:1 ring-4. - Dialog close button is a DS::Button icon variant, so it inherits the focus-visible-only ring and keeps no resting border (fixes "stuck ring"). Verified in-browser, light+dark: focus-visible ring on button, input, and full-width menu row — consistent blue 2px+offset, legible on both surfaces. Remaining follow-up: >=44px touch targets (disclosure trigger, composer send); bespoke notification / account-new close buttons that still carry a permanent border. * fix(ds): #2136 interactive-state follow-ups — touch target + close-button chrome - Disclosure default trigger: add min-h-11 (44px) so the standalone disclosure summary clears the touch-target minimum (was px-3 py-2 ~36px). Composer send + the coming-soon icons are already DS::Button icon/md (w-11 h-11). - Notification close buttons (sync_toast, notice): drop the resting border-alpha-black-50 box ("frame shouts, glyph muted"); keep a bg-container + shadow-xs chip so the corner control stays visible over the page, and brighten the muted glyph on hover (text-subdued -> hover:text-primary). * refactor(ds): focus ring -> neutral hugging box-shadow (was blue outline) Per design feedback: the blue 2px outline + 2px offset read as a loud, detached frame on the otherwise-neutral UI. Switch the canonical .focus-ring to a soft box-shadow ring that hugs the control (follows border-radius, no gap), in the theme-aware neutral focus-ring token (alpha-black/white-400). Transparent outline kept as a forced-colors fallback; toggle peer-driver switched from outline-* to ring-* to match. Still one token, :focus-visible only. Strength is tunable (currently subtle ~1.5:1). * fix(ds): focus ring vanished on shadowed controls — outline, not box-shadow The neutral box-shadow ring lived in the components layer, so any utility-layer shadow-* (or .form-field's focus-within:shadow-none) on the same element overrode it and the ring silently disappeared on shadowed buttons/inputs. Draw the same subtle neutral ring with a hugging `outline` (outline-offset: 0) instead — a separate property with no box-shadow conflict, and it doubles as the forced-colors indicator. Toggle peer-driver switched ring-* -> outline-* to match. Look is unchanged (neutral, hugging, subtle); it just no longer vanishes. * fix(a11y): enlarge sync-toast close-button touch target (p-0.5 -> p-1.5) The hover-revealed close button had ~2px padding around a 20px icon (~24px total), at the WCAG 2.5.8 AAA boundary. p-1.5 brings the interactive area to ~32px. Addresses CodeRabbit review on #2140. * fix(ds): keep form-field's resting halo; stop the outline color flash Two testing findings: - .form-field reverts to its original always-on soft ring (focus-within ring-4 at low alpha, theme-aware) instead of adopting the keyboard-only outline. It's a resting decoration, not a focus indicator, and the lower-opacity halo was the better look. The canonical block's comment documents the deliberate opt-out. - .focus-ring/.focus-ring-within now carry a base transparent 2px outline so consumers with transition-all (form-field had it) animate transparent -> token on focus instead of passing through currentColor, which flashed as a black border appearing and then fading out. * feat(ds): focus-ring token clears WCAG 3:1 non-text contrast alpha-black-400 (20%) measured ~1.6:1 against white — visible but below the AA bar for focus indicators. Bump to the 700 stop (50%): ~3.95:1 on light containers, ~4.6:1 on dark. Recipe unchanged; one token edit via tokens:build. * fix(ds): ring the hand-rolled privacy toggle too The header pair showed two different focus treatments: panel-right (a DS::Button) got the new token ring while the hand-rolled privacy toggle next to it fell back to the browser-default ring — the sweep covered DS primitives but not bespoke buttons. Both privacy toggles (mobile + desktop) now carry .focus-ring. Also documents the transition interplay on the focused-state rule: consumers with transition-colors fade the ring in over 150ms because Tailwind v4's color transition list includes outline-color. Verified settled value at the intended 50% alpha via Playwright. * fix(ds): ring the sidebar and settings nav links The reshoot caught both nav species falling back to the browser's blue default ring — main sidebar items and settings nav items are bespoke link_to markup the primitive sweep missed, and they're the primary keyboard path in the app. Both adopt .focus-ring (main nav adds rounded-lg so the outline follows a shape). * fix(ds): retire the legacy base-layer button ring for the canonical outline The @layer base button rule still painted a ring-2 ring-offset-2 box-shadow on :focus-visible. Box-shadow and outline are independent properties, so .focus-ring (an outline) could never clear it and every button-tag primitive double-painted both indicators on keyboard focus. Apply the canonical recipe to the base button rule itself: every <button> now gets the transparent resting outline + focus-ring token on :focus-visible by default. Two bespoke buttons suppressed the outline with focus:outline-none and relied on the base ring for their keyboard indicator (category dropdown rows, the sign-up password toggle). Drop the suppression so they pick up the canonical outline — :focus-visible keeps it keyboard-only, which is what the suppression was protecting against anyway. * fix(ds): segmented control adopts the canonical focus recipe The segment rule inlined its own focus-visible outline (offset 2, alpha-400 colors) with a comment noting it was temporary until the canonical token landed — this branch is that token. Drop the inlined utilities: button segments get the outline from the base button rule, and link segments now carry .focus-ring. |
||
|
|
5f391f7fff |
fix(settings): preserve content scroll position per page across navigation (#2277)
Settings nav items are plain Turbo Drive links (full-body visits); Turbo only restores window scroll, so the nested overflow-y-auto content container snapped to the top on every settings navigation. Add a settings-scroll Stimulus controller that saves/restores the content scroll keyed by pathname: returning to a page restores its scroll, a new page opens at the top, and a same-page re-render (settings form auto-submit) keeps scroll. Distinct from the nav's preserve-scroll controller, which keys by element id to intentionally carry one position across pages. Verified live: scroll 250 on Preferences -> Appearance opens at top -> back to Preferences restores 250. |
||
|
|
74d0452a2b |
fix(ds): sync-settings env notice used undefined warning-* classes -> DS::Alert (#2278)
settings/hostings/_sync_settings.html.erb rendered the 'configured via env' notice with bg-warning-50 / border-warning-200 / text-warning-600 / text-warning-800 -- none of which exist as Tailwind utilities, so the box rendered fully unstyled (no tint, no border, default text color). Replace the hand-built box with the canonical DS::Alert(:warning), matching the warning-surface recipe and the ds-notice-neutral-text convention. |
||
|
|
8736c7c27e |
refactor(settings): consistency pass — header-less settings_section + guides (#2279)
* refactor(settings): header-less settings_section variant + migrate guides
Add a title:nil branch to settings_section so a page can route through the one
canonical surface recipe (bg-container shadow-border-xs rounded-xl p-4 space-y-4)
without a section header. No visual change to existing titled callers.
Migrate the guides page onto it: replace the hand-rolled card + hardcoded
'Guides' page title with settings_section + t('.page_title') (new locale key).
First step of the settings design-consistency pass.
* refactor(family-exports): un-nest exports list
The exports list rendered 'Exports' three times (page h1 + settings_section
title + inset count header) inside three stacked surfaces (section card >
bg-container-inset > inner bg-container table card). Flatten it:
- settings_section header-less (drop the duplicate title; the page h1 + the
inset count header already label it),
- drop the redundant inner space-y-4 wrapper,
- table sits directly in the inset (remove the inner bg-container card).
Now: one title, one card, one inset.
* refactor(settings): payments + appearances consistency
- payments: subscription summary row was bg-container inside the section's
bg-container (container-on-container) -> bg-container-inset + p-4.
- appearances: toggle-row labels used <h4> (heading-level break inside a
settings_section) -> <p font-medium>.
* refactor(settings): preferences consistency
- month_start_day warning: text-warning bg-warning/10 colored-body-text box
-> DS::Alert(:warning) (neutral-text recipe).
- preview-features block: hand-rolled <section bg-container shadow-border-xs
rounded-xl p-4> -> header-less settings_section (canonical surface).
- toggle-row <h4> -> <p font-medium>; text-[11px] base-currency badge -> text-xs.
* refactor(settings): profiles consistency
- unconfirmed-email notice was hardcoded English -> i18n
(unconfirmed_email_notice_html + resend_confirmation_link keys).
- role + pending chips: bespoke 'rounded-md bg-surface px-1.5 py-0.5 uppercase'
pills -> DS::Pill (tone: gray, badge mode).
- pending-invitation row border: border-alpha-black-25 -> shadow-border-xs
(match the member-row token).
|
||
|
|
d29591cff9 |
fix(ds): unify tab/chip controls on DS::SegmentedControl (#8) (#2284)
* fix(ds): goals status filter -> DS::SegmentedControl The goals status chips were a hand-rolled segmented control: active state toggled via ad-hoc bg-container/shadow-border-xs/text-* classes, NO hover on inactive chips, and a light-only focus ring (ring-alpha-black-100, invisible in dark mode). Migrate to DS::SegmentedControl button segments + toggle the canonical --active class in goals_filter_controller#syncChipState. Gains the dark-safe hover (hover:bg-gray-200 / theme-dark:hover:bg-gray-800) and the canonical focus ring. First control in the tab-consistency pass (#8). * fix(ds): provider filter chips -> DS::SegmentedControl Same hand-rolled segmented control as the goals chips: active toggled via ad-hoc bg-container/shadow/text classes, no inactive hover, light-only ring-alpha-black-100 focus ring. Migrate to DS::SegmentedControl + toggle the canonical --active class in providers_filter_controller#syncChipState. * fix(ds): transaction-type tabs -> DS::SegmentedControl Expense/Income/Transfer tabs were hand-rolled with a hover==active affordance bug: inactive hover raised bg to bg-container, identical to the active state, so hover and selected were indistinguishable. Migrate to DS::SegmentedControl (link segments + icons); the controller toggles the canonical --active class instead of swapping ad-hoc ACTIVE/INACTIVE class lists. The client-side nature switch (expense<->income updates the form's hidden nature field without navigating) is preserved -- verified live: switching to Income flips the active segment AND sets the nature field to inflow. * fix(ds): reports period tabs -> DS::SegmentedControl The Monthly/Quarterly/YTD/Last-6-Months/Custom period selector was five DS::Link ghost/secondary buttons -- a different tab idiom than the rest of the app. Migrate to DS::SegmentedControl link segments (server-rendered active via aria-current; pure navigation, no controller). Now matches the goals / provider / transaction-type controls + the AI provider picker. Also autocorrected a pre-existing single-quote in the next-period aria-label. |
||
|
|
2defccf366 |
fix(ds): dark-mode hover — alpha-black-25 -> surface-hover on date-nav triggers (#2287)
The budget/report period navigation triggers (the prev/next chevrons + the 'Month v' popover button) used hover:bg-alpha-black-25 -- a 3% black overlay that is invisible on dark surfaces, so they had no visible hover affordance in dark mode. Swap to the theme-aware hover:bg-surface-hover token (gray-100 in light, gray-800 in dark) already used by the settings nav. 4 occurrences across budgets/_picker, budgets/_budget_header, reports/index. (Also autocorrected a pre-existing single-quote in reports/index.) |
||
|
|
922b8853a9 |
fix(ds): add-account menu affordance — right-size close, clickable rows (#2276)
The account picker ("What would you like to add?" / "How do you want to add
it?") had affordance gaps:
- The close (x) and back (arrow-left) buttons were size: lg, oversized vs every
other modal close. Drop to size: md.
- The type/method rows had a hover background but no rest-state cue that they
navigate. Add a trailing chevron (subdued, brightens on hover) so they read as
actionable, and move the method-selector rows onto the theme-aware
hover:bg-surface-hover token (were hover:bg-surface).
|
||
|
|
7ebe5154cb |
fix(ds): balance-sheet weight column alignment + category pill padding (#2275)
- Dashboard balance-sheet weight cell wrapped its percentage ("64 %" -> two
lines) for 2-digit values: the account-row cell is w-14 (56px), too narrow
for the 5-bar gauge plus a spaced locale percentage (ca/es format "NN %").
Widen the account-row weight cell to w-20 to match the header/group columns
(also fixing the column misalignment) and add whitespace-nowrap to the value.
- Bump DS::Pill :md vertical padding py-0.5 -> py-1 so category pills (and the
other :md pills) are not vertically cramped.
|
||
|
|
b2b89437b0 |
fix(ds): route remaining literal yellow warning surfaces onto --color-warning (#2250)
* fix(ds): route remaining literal yellow warning surfaces onto --color-warning Completes the #2198 warning consolidation for view-level surfaces: - rules/index recent-runs status badges → DS::Pill (warning / success / error). - accounts/_account_sidebar_tabs missing-data notice: bg-yellow-tint-10 / text-yellow-600 → bg-warning/10 / text-warning. - import/confirms/_mappings unassigned-account notice → bg-warning/10 / border-warning/20 (also fixes a missing dark variant — it was light-yellow in dark mode). - simplefin/_replacement_prompt card → bg-warning/10 / border-warning/20, dropping the now-redundant theme-dark: companions (the token is theme-aware). rules' blue/purple execution-type badges and the red failed-row highlight are left as-is (not warning surfaces). Part of #2198. * fix(ds): neutral text in sidebar missing-data notice (match DS::Alert recipe) Warning surfaces follow the DS::Alert recipe — warning tint + warning-colored icon, but neutral body text (text-primary / text-secondary). The sidebar missing-data notice was the lone holdout still painting its text (and link) with text-warning. Switch to neutral text; keep the bg-warning/10 tint and the warning-colored triangle/chevron as the accent. More readable (color-on-tint text is low-contrast) and consistent with the DS::Alert migrations. * fix(ds): missing-data sidebar notice → static DS::Alert (drop disclosure) The notice was a raw collapsible <details> styled as a warning — a hybrid that hid its own primary action (the "Configure providers" link) and its explanation behind a chevron click. A warning's job is to surface a problem and its fix; a disclosure's job is to hide secondary detail. The two fought each other (triangle-alert "act on this" vs chevron "optional, expand"). Replace with a static DS::Alert(:warning): icon + title + body + the Configure link, always visible. Fixes the affordance, surfaces the action, canonicalizes the last warning-styled raw <details>, and matches the other DS::Alert notices. * fix(ds): grey body text in missing-data alert for title/body hierarchy DS::Alert renders its body in text-primary (same dark as the title). For this notice, drop the description to text-secondary so the title (primary, semibold) reads above the supporting body (grey) — clearer hierarchy. Still neutral (no colored text); the Configure link stays primary + underline so the action remains the prominent element. * fix(ds): bump account_sidebar_tabs cache version v1→v2 Flush stale <details>-markup fragments on deploy. The sidebar missing-data notice migrated from <details> to a static DS::Alert, but the fragment is cached with a 12h TTL — without a key change, old markup renders until expiry (and inconsistently across staggered multi-server cache warmups). Bumping the version string changes the cache-key namespace so every cached fragment is bypassed immediately. |
||
|
|
ab3e7e98c3 |
fix(ds): convert_to_trade price warning — fix dead dark:, use warning token (#2249)
The price-mismatch warning used bare `dark:` variants, but the app's dark mode is the `theme-dark` custom variant — so those styles never applied and the box stayed light-yellow on dark surfaces. Replace the literal yellow palette + dead `dark:` classes with the theme-aware `--color-warning` token (`bg-warning/10`, `border-warning/20`), the warning-colored alert-triangle, and neutral primary/secondary text (matching the DS::Alert recipe). One class now adapts to both themes; the JS targets (priceWarning / priceWarningMessage) are unchanged. Closes #2248. Part of #2198. |
||
|
|
211e407456 |
fix(ds): migrate remaining amber notice boxes to DS::Alert(:warning) (#2247)
Continues the #2198 warning consolidation (after the SSO surfaces). Replaces the last hand-rolled bg-amber-50 notice boxes with DS::Alert: - pages/redis_configuration_error: "why Redis is required" callout → DS::Alert(title:, message:, variant: :warning). - family_exports/new: export "Note" callout → DS::Alert(title:, message:). - sessions/new: "no auth methods enabled" notice → DS::Alert(message:). The DS::Alert warning recipe (warning tint + neutral text + alert-triangle) replaces the literal amber palette while preserving each notice's intent. Part of #2198. After this, the only remaining raw amber-* is the dynamic validation feedback in admin_sso_form_controller.js (deferred — JS form state styling, a separate concern). |
||
|
|
c45b786e86 |
fix(ds): migrate SSO amber warning surfaces to DS::Alert / DS::Pill (#2246)
Apply the resolved warning-hue decision (use --color-warning; no separate amber token) to the admin SSO surfaces flagged in #2198: - admin/sso_providers: the "legacy providers" notice → DS::Alert(:warning); the "ENV configured" badge → DS::Pill(tone: :warning). - settings/securities: the single-OIDC password warning → DS::Alert(:warning). Replaces hand-rolled bg-amber-50 / border-amber-200 / text-amber-800 boxes and an amber badge with the functional warning token via DS components. The DS::Alert warning recipe (warning tint + neutral text + alert-triangle) matches the prior look while clearing the literal-token drift. Part of #2198. |
||
|
|
c05a64ee9b |
fix(ds): canonical destructive red → red-500 (token + button) (#2245)
* fix(ds): canonical destructive red → red-500 (token + button) Per the resolved color decision, --color-destructive moves from red-600 (#EC2222) to red-500 (#F13636), aligning the destructive token with the red-500 already used app-wide for negative amounts and error text. - design/tokens/sure.tokens.json: destructive, border-destructive and button-bg-destructive (red-600→red-500) + button-bg-destructive-hover (red-700→red-600); dark values unchanged (red-400 base / red-500 hover). - Regenerate _generated.css. - buttonish.rb: the destructive button now uses the theme-aware button-bg-destructive / -hover utilities instead of hardcoded bg-red-600/700, removing the last raw-palette destructive bypass. Part of #2134. * fix(ds): keep destructive button fill at red-600 for white-label contrast Addresses review (Codex P2): the canonical-destructive flip to red-500 also lowered the solid destructive button fill to red-500, dropping white-on-red label contrast to ~3.95:1 at text-sm. Keep button-bg-destructive at red-600 / hover red-700 (white-on-red ~4.36:1 — the prior level, no regression). --color-destructive and border-destructive stay red-500: those are red-on- white text/border usages where red-500 is the chosen canonical hue. Solid white-on-red fills legitimately use a darker shade. |
||
|
|
4dbfbf0bc8 |
fix(ds): replace invalid bg-surface-default with bg-surface (#2244)
`bg-surface-default` is not a defined design-system token — Tailwind emits no rule for it, so these surfaces render with no background at all. Five call sites were affected: - rules/index.html.erb — recent-runs table header - settings/llm_usages/show.html.erb — usage table header - settings/ai_prompts/show.html.erb — three prompt-preview boxes Replace with the canonical `bg-surface` token — the same fill the admin/users and settings/debugs table headers already use. Clears a Rule 2 (non-functional token) finding from the weekly DS drift scan. |
||
|
|
034a12f1d8 |
fix(ds): use DS::Disclosure for investment-performance expander (#2243)
The "view details" expander rendered a raw <details>/<summary>, flagged as a Rule 1 (bypassing DS components) finding in the weekly DS drift scan (#2157). Migrate it to the DS::Disclosure :inline variant — the same primitive already used for the goals archived section and provider panels. Gains the canonical focus-visible ring and motion-safe chevron rotation for free; markup, copy, and i18n keys are otherwise unchanged. |
||
|
|
de8cd86f2f |
perf(sync): scope transfer matching after account sync (#2230)
* perf(sync): scope transfer matching after account sync * fix(sync): make transfer lookup index migration reversible |
||
|
|
51f09cdade |
Fix prerelease version-bump job: add PR fallback for protected branches (#2224)
* Fix prerelease version bump workflow
* Fix prerelease version-bump job: add PR fallback for protected branches
### Motivation
- The prerelease version bump job was failing when it could not push to protected release branches, causing the workflow to error instead of progressing.
- The job needs permission and robust push logic so prerelease automation can update `.sure-version` and `charts/sure/Chart.yaml` even when direct pushes are blocked.
### Description
- Grant the `bump-pre_release-version` job `pull-requests: write` permission so it may open an automated PR when direct pushes are disallowed.
- Harden the bump step: enable `set -euo pipefail`, pass `GH_TOKEN` into the job environment, and use fully-qualified branch refs for pushes.
- Add retry + rebase logic for direct pushes and a fallback path that pushes the changes to an `automation/bump-version-after-...` branch and opens a PR with `gh pr create` when direct push attempts fail.
- Preserve existing validations that ensure `.sure-version` and `charts/sure/Chart.yaml` exist and the prerelease portion is parsed before writing the bump.
### Testing
- Verified workflow YAML parses with `ruby -e 'require "yaml"; YAML.load_file(".github/workflows/publish.yml"); puts "YAML OK"'` and it succeeded.
- Confirmed the bump job has the expected permission with `ruby -e 'require "yaml"; workflow=YAML.load_file(".github/workflows/publish.yml"); abort("missing bump job") unless workflow.dig("jobs", "bump-pre_release-version", "permissions", "pull-requests") == "write"; puts "bump permissions OK"'` and it succeeded.
- Ran ActionLint via `go run github.com/rhysd/actionlint/cmd/actionlint@v1.7.8 .github/workflows/publish.yml` and received no actionable errors.
- Ran `git diff --check` to ensure no whitespace/format issues and it succeeded.
* Harden pre-release bump job: validation, retries and PR fallback
### Motivation
- Make the `bump-pre_release-version` job more robust by validating prerelease version formats and failing early on unexpected inputs.
- Handle protected branches gracefully by attempting direct pushes with retries and falling back to creating a pull request when direct push is blocked.
- Ensure the workflow has the permissions required to open PRs when needed.
### Description
- Added `pull-requests: write` to the job `permissions` so the workflow can create PRs when required.
- Hardened the bump script with `set -euo pipefail` and a strict regex that validates and extracts `BASE_VERSION`, prerelease tag, and number using `BASH_REMATCH` before incrementing the prerelease counter.
- Simplified and made file reads safer by using input redirection for `tr` and improved error messages for missing or malformed version files.
- Reworked commit/push logic to set a commit message variable, attempt direct pushes with exponential backoff and detection of branch-protection errors, and when rejected create a dedicated bump branch and open a PR via `gh pr create`.
### Testing
- Validated the modified workflow YAML with a YAML linter; no syntax errors were reported.
- Executed the updated bump logic in a CI dry-run (workflow syntax validation on GitHub Actions) and the workflow file was accepted by the Actions syntax checks.
* Add manual workflow triggers and robust pre-release bump with protected-branch fallback
### Motivation
- Allow manual invocation of PR and chart CI workflows via `workflow_dispatch` for on-demand runs.
- Make the pre-release version bump process more robust and reliable when `refs/tags/v*` releases are published.
- Ensure the bump can proceed even when the target branch is protected by creating an automated pull request and running PR checks.
### Description
- Added `workflow_dispatch` to `.github/workflows/pr.yml` and `.github/workflows/chart-ci.yml` to support manual runs.
- Extended `bump-pre_release-version` job in `.github/workflows/publish.yml` to request `actions: write` and `pull-requests: write` permissions.
- Rewrote the bump script to use `set -euo pipefail` and a single regex validation to parse and increment prerelease versions (e.g. `1.2.3-alpha.4`), update `.sure-version`, and update `charts/sure/Chart.yaml` reliably.
- Improved commit and push flow by adding `GH_TOKEN`, using a consistent commit message variable, attempting direct pushes with retry and rebase, detecting branch-protection failures, and falling back to creating a bumped branch and an automated PR via `gh pr create`; the workflow also dispatches `pr.yml` and `chart-ci.yml` runs for the created branch.
### Testing
- No automated tests were run as part of this change; behavior will be exercised when the workflow creates a bump PR or when workflows are manually triggered via the new `workflow_dispatch` events.
|
||
|
|
3ccb82ef9d |
fix(imports): import Actual rows with blank payee (#2282)
* fix(imports): import Actual rows with blank payee Actual Budget exports reconciliation and starting-balance rows with a blank Payee. ActualImport mapped the row name straight from the Payee column with no fallback (unlike Import and MintImport), so a blank Payee produced a blank Entry name. Entry requires a name, and import! wraps all rows in a single transaction, so one blank-payee row failed validation and rolled back the entire import -- surfacing only a generic "Import failed" while the worker logged "done". Fall back to the Notes column (which carries text like "Reconciliation balance adjustment") and then to the default row name, matching the blank-name handling already used by the base importer and MintImport. Add a blank-payee row to the Actual fixture and regression tests covering the Notes fallback, the default fallback, and an end-to-end import that no longer fails on blank-payee rows. * ci(security): skip calendar-based brakeman Rails EOL check The scan_ruby job fails because brakeman's CheckEOLRails warns that Rails 7.2.3.1 reaches end of life on 2026-08-09. That check fires purely on the calendar -- it warns 60 days before the EOL date and escalates in confidence as the date nears (brakeman/checks/eol_check.rb) -- so it turns `bin/brakeman` (exit code 3) red on every branch and on main regardless of the code being scanned. Add config/brakeman.yml (auto-loaded by `bin/brakeman`) skipping only CheckEOLRails. CheckEOLRuby is left enabled because the current Ruby is not near end of life, so that signal is preserved. A TODO records that the skip should be removed when Sure upgrades off Rails 7.2. |
||
|
|
f25fe30a41 |
feat(ai): honor Setting.llm_provider for batch and PDF flows (#2265)
Auto-categorization, merchant detection/enhancement, and PDF/bank-statement extraction hard-coded Provider::Registry.get_provider(:openai), so selecting Anthropic (or running an Anthropic-only self-hosted install) left those operations using/missing OpenAI rather than the chosen provider. Add Provider::Registry.preferred_llm_provider, which resolves the LLM provider honoring Setting.llm_provider with a configured-provider fallback (mirroring how chat picks its provider), and route all six TODO(#2113) call sites through it: - Family::AutoCategorizer#llm_provider - Family::AutoMerchantDetector#llm_provider - ProviderMerchant::Enhancer#llm_provider - PdfImport (process_pdf + extract_bank_statement) - Assistant::Function::ImportBankStatement Provider::Anthropic already implements auto_categorize / auto_detect_merchants / enhance_provider_merchants (#1984) and process_pdf / extract_bank_statement (#1985), so no provider changes are needed — only the wiring. Closes #2113. |
||
|
|
c375b8bf5c |
feat(ai): self-host settings UI for Anthropic provider (5/5) (#1987)
* feat(ai): add Anthropic provider with chat parity (1/5)
Introduces Provider::Anthropic alongside Provider::Openai, implementing
the LlmConcept chat_response contract over the official anthropic Ruby
SDK. Batch ops, PDF, and RAG land in follow-up PRs.
- Provider::Anthropic uses Messages API for sync and streaming responses
- ChatConfig builds requests with ephemeral prompt-cache markers on the
system prompt and the last tool definition
- MessageFormatter reconstructs multi-turn history (text + tool_use +
tool_result blocks) from raw Message records, including the paired
user-role tool_result turn Anthropic requires after every tool_use
- ChatParser maps Anthropic Message into the shared ChatResponse Data
- Registry, Setting, User, Chat default model wired for ANTHROPIC_*
envs and Setting.anthropic_*; LLM_PROVIDER selects between providers
- Responder forwards raw conversation_history (Array<Message>) so
providers without hosted conversation state can rebuild context
- OpenAI provider accepts and ignores the new kwarg (no behavior change)
Tests cover provider init, model gating, MessageFormatter for all turn
shapes, ChatConfig request building (max_tokens, system cache, tool
conversion), ChatParser for text / tool_use / mixed blocks, Registry
discovery, and mocked chat_response success / error / function_request
paths. Live VCR cassettes recorded in a follow-up with a real key.
Stacked PRs: 2/5 batch ops + cost ledger, 3/5 PDF, 4/5 pgvector RAG,
5/5 settings UI + disclosure.
* fix(ai): address PR review on Anthropic provider foundation
Surface fixes raised by Codex + CodeRabbit on PR 1/5:
- Provider::Anthropic#chat_response now accepts (and ignores) a
`messages:` kwarg. Assistant::Responder passes both `messages:`
(OpenAI-shape) and `conversation_history:` (raw Message records) for
cross-provider parity, so the previous signature raised
ArgumentError on the first chat turn through the Anthropic provider.
- Provider::Anthropic#supports_model? bypasses the `claude` prefix
gate when a custom base_url is configured, mirroring the OpenAI
provider. Bedrock-shaped IDs like
`anthropic.claude-sonnet-4-5-20250929-v1:0` and
`claude-opus-4@20250514` are otherwise rejected by
Assistant::Provided#get_model_provider and the chat dies.
- Setting.anthropic_access_token is now in
EncryptedSettingFields::ENCRYPTED_FIELDS so the Anthropic API key
is encrypted at rest like every other provider secret. Previously
plaintext while siblings (openai_access_token, twelve_data_api_key,
external_assistant_token) were ciphertext.
- Chat.default_model falls back to whichever provider is actually
configured. Previously, with LLM_PROVIDER=anthropic but no
Anthropic credentials, the default model resolved to a Claude ID
that no registered provider supported, so chats failed even when
OpenAI was fully configured. Adds Provider::{Anthropic,Openai}#configured?
class methods for the readable callsite.
- Provider::Anthropic.effective_model uses
`ENV["ANTHROPIC_MODEL"].presence || Setting.anthropic_model` so the
Setting lookup is only performed when the env var is absent — the
previous `ENV.fetch(KEY, default)` evaluated the default arg
eagerly on every call.
- Provider::Anthropic::ChatConfig#anthropic_input_schema strips both
`:strict` and `"strict"` keys so JSON-decoded schemas with string
keys cannot leak the OpenAI-only flag through to Anthropic.
Test coverage added: supports_model? bypass on custom endpoints,
chat_response messages: kwarg compatibility, default_model fallback
in the three credential combinations, configured? against ENV +
Setting, strict-flag stripping for both key types, and a
`Setting.expects(:anthropic_model).never` assertion proving the
ENV-precedence test now exercises the lazy path.
All 4365 tests pass (1 pre-existing libvips env error unrelated).
* test(chat): make default_model tests resilient to ENV model overrides
CodeRabbit flagged on PR review: the new default_model tests asserted
against Provider::*::DEFAULT_MODEL, but Chat.default_model actually
returns Provider::*.effective_model.presence (which reads
OPENAI_MODEL / ANTHROPIC_MODEL from the environment). With either env
var set, the tests would fail intermittently even though routing was
correct.
- New default_model tests now assert against the provider's
effective_model directly, so they verify the routing decision
(which provider's value wins) without coupling to the constant.
- Pre-existing "creates with default model" assertions had the same
brittleness; switch them to compare against Chat.default_model so
the chosen model is whatever the env / Setting cascade resolves to.
Verified by running `ANTHROPIC_MODEL=claude-haiku-4-5 OPENAI_MODEL=gpt-4o
bin/rails test test/models/chat_test.rb` — 16 runs, 0 failures
(previously 2 pre-existing failures + 0 from the new tests).
* fix(ai): address local review on Anthropic foundation
- Provider::Anthropic#supports_pdf_processing? bypasses prefix gate for
custom endpoints, mirroring supports_model?
- Provider::Anthropic#initialize raises Error when custom_endpoint? AND
model.blank?, parity with Provider::Openai
- stream_chat_response captures partial usage on mid-stream errors and
records it via the new on_partial callback so chat_response can skip
the duplicate error row in the outer rescue
- safe_accumulated_message swallows the secondary failure when the SDK
cannot reconstruct a snapshot
- langfuse_client memoizes properly (||= instead of =) so repeated calls
don't churn Langfuse instances
- MessageFormatter sorts tool_calls by created_at then id so the
message array is deterministic across replays; skips tool_calls
missing both provider_call_id and provider_id rather than sending
`id: nil` and getting rejected by Anthropic
- Setting.anthropic_access_token default falls back through
ENV["ANTHROPIC_API_KEY"].presence (was missing .presence, so an
empty-string env value bled through)
- User#openai_configured? / #anthropic_configured? delegate to the
Provider::* class methods — single source of truth
- Assistant::Responder renames the OpenAI-shape history builder
conversation_history → openai_messages_payload so the kwarg name
matches the local method name (messages: openai_messages_payload,
conversation_history: chat_message_records)
- Assistant::Builtin stale-history comment updated to reference both
builders
Adds a streaming chat_response test using ad-hoc subclasses of the
SDK event types so the case/when dispatch matches via is_a? without
stubbing class-level === behavior.
* test(ai): add Anthropic tool_use round-trip + multi-tool turn coverage
Addresses @jjmata's "worth confirming" note on PR #1983: tool-use turns
from prior assistant messages must round-trip correctly when retrieved
from the database.
- New `ChatParser → ToolCall::Function → MessageFormatter` test walks
the full path: Anthropic response with a tool_use block →
ChatFunctionRequest → ToolCall::Function.from_function_request →
persisted on the AssistantMessage → MessageFormatter rebuild on the
next turn. Asserts the original `tool_use.id` is preserved end-to-end
as both `tool_use.id` and the paired `tool_result.tool_use_id`, and
that the original `input` hash and serialized result content survive.
- New multi-tool assistant turn test confirms two tool_use blocks on a
single assistant message render as two tool_use blocks followed by
two paired tool_result blocks in a single user-role follow-up,
matching Anthropic's required alternation.
Both tests exercise the existing PR1 code without behavior changes.
* test(ai): require "ostruct" explicitly in Anthropic provider tests
OpenStruct is moving out of Ruby's default load path (warning in 3.4+,
removed in 3.5+). Tests work today because ActiveSupport transitively
loads it, but that's incidental. Match the existing convention in
test/controllers/settings/hostings_controller_test.rb which explicitly
requires ostruct for the same reason.
* fix(ai): sanitize Langfuse warn logs, normalize tool_use.input, dedup history fetch
Addresses three open CodeRabbit findings on PR #1983.
- Provider::Anthropic Langfuse rescue branches no longer include
`e.full_message` in `Rails.logger.warn`. `full_message` bundles the
backtrace + cause chain and on some SDK error types includes the
serialized request/response payload (prompt, model output). Logs
now report `#{e.class}: #{e.message}` only. Three sites:
create_langfuse_trace, log_langfuse_generation, upsert_langfuse_trace.
Note: Provider::Openai has the same pattern (copy-pasted source) —
harmonization deferred to a follow-up cleanup PR; this commit fixes
only the Anthropic provider to keep PR scope tight.
- MessageFormatter#parse_arguments now coerces any non-Hash parsed
result to `{}`. Anthropic's Messages API requires `tool_use.input`
to be a JSON object (map); a stored ToolCall::Function record whose
arguments parse to a scalar, bool, or array (corrupt row, legacy
data, cross-provider bleed) would otherwise produce a payload the
API rejects. Normal flow stores Hash arguments end-to-end so the
fix is defensive — adds 2 tests covering scalar/array JSON strings
and non-String non-Hash inputs.
- Assistant::Responder dedups the chat-history fetch. The previous
layout fired two near-identical `chat.messages.where(...).includes(
:tool_calls).ordered` queries per LLM turn (one for the OpenAI-shape
payload, one for the raw-records kwarg). A new memoized
`complete_chat_messages` fetches once; `chat_message_records` filters
out the current message via `Array#reject`, `openai_messages_payload`
iterates the cached array unchanged. One SQL query per turn instead
of two. Memoization scope = single Responder instance (per LLM call),
so cache invalidation is not a concern.
All 4370 tests pass (1 pre-existing libvips env error unrelated).
Rubocop + brakeman clean.
* fix(ci): replace sk-ant- prefixed test placeholders
Pipelock secret scanner pattern-matches `sk-ant-*` as a real Anthropic
API key and fails the PR security-scan check. Test stubs and
ClimateControl env values used `sk-ant-test`, `sk-ant-from-setting`,
`sk-ant-x`, `sk-ant-y` as obvious placeholders, but the scanner does
not care about value entropy.
Switched to `fake-anthropic-key-*` / `fake-token-*` strings so the
scanner stops flagging them. No production code touched, no behavior
change — Provider::Anthropic still accepts any non-blank token.
* feat(ai): add Anthropic batch ops + LLM cost ledger (2/5)
Implements auto_categorize, auto_detect_merchants, and
enhance_provider_merchants on Provider::Anthropic via forced tool calls,
plus the cost-ledger plumbing they need.
- Provider::Anthropic::AutoCategorizer, AutoMerchantDetector,
ProviderMerchantEnhancer each define a single output tool whose
input_schema mirrors the desired output, then force the model to call
it via tool_choice: { type: "tool", name: ..., disable_parallel_tool_use: true }.
Anthropic guarantees the tool_use.input matches the schema, so there
is no JSON parsing fragility, no <think> tag stripping, and no
json_object/json_schema fallback ladders.
- Concerns::UsageRecorder mirrors the OpenAI sibling but persists
cache_creation_input_tokens / cache_read_input_tokens to dedicated
columns instead of metadata.
- Migration adds cache_creation_tokens, cache_read_tokens (nullable
integers) to llm_usages. OpenAI rows leave them null.
- LlmUsage::PRICING gains Claude 4.x rows (opus-4-7 $15/$75, sonnet-4-6
$3/$15, haiku-4-5 $1/$5 per MTok). infer_provider returns "anthropic"
for claude-* via the existing exact/prefix lookup.
- Provider::Anthropic#chat_response now persists cache columns directly
rather than stashing them in metadata.
- 25-transaction batch cap mirrors the OpenAI provider so the cost
ledger sees the same shape regardless of which provider ran a batch.
Tests cover the forced-tool-call path, null/None normalization,
case-insensitive merchant matching, the missing-tool_use error path,
and Anthropic-specific pricing + provider inference on LlmUsage.
Stacked on #1983 (PR 1/5). 3/5 PDF + vision next.
* fix(ai): attribute Bedrock model IDs to anthropic + clean nil enum
- LlmUsage.infer_provider now returns "anthropic" for Bedrock /
Vertex shaped IDs (anthropic.* and anthropic/*), so cost-ledger
filtering by provider stays correct even when no per-MTok rate is
stored. Previously these IDs fell through to the "openai" default.
- AutoCategorizer drops the redundant nil sentinel from the
category_name enum — the union type [string, null] already permits
null, and some JSON Schema validators reject nil literals inside
enum arrays.
* test(ai): require "ostruct" in Anthropic batch op tests
Same rationale as the PR1 ostruct fix — explicit require so the tests
don't depend on ActiveSupport's transitive load when Ruby 3.5+ removes
OpenStruct from the default load path.
* feat(ai): Anthropic native PDF processing (3/5)
Implements process_pdf and extract_bank_statement on Provider::Anthropic
using the native `document` content block — no rasterization, no text
pre-extraction.
- Provider::Anthropic::PdfProcessor classifies the document, summarizes
it, and extracts statement metadata via a forced report_document_analysis
tool whose input_schema mirrors the existing Provider::Openai output
(document_type from Import::DOCUMENT_TYPES, summary, extracted_data).
- Provider::Anthropic::BankStatementExtractor returns the same
{ transactions, period, account_holder, account_number, bank_name,
opening_balance, closing_balance } shape via report_bank_statement so
downstream pdf_import code is provider-agnostic.
- Both attach the PDF as
{ type: "document", source: { type: "base64", media_type: "application/pdf", data: <b64> } }
— Claude 3.5+ / 4.x accept this natively (up to 32MB / 100 pages).
No pdf-reader, no pdftoppm, no chunking for typical statements.
- supports_pdf_processing? (introduced in PR 1) already returns true for
claude-* models, gating process_pdf with a clear error otherwise.
- Cost ledger rows are persisted via the shared UsageRecorder concern,
including cache_creation/cache_read tokens.
Tests verify the document block shape, tool_choice forcing, normalized
document_type for unknown classifications, transaction normalization
(date / amount / reference → notes), and the missing-tool_use error
path. Blank pdf_content raises before any client call.
Stacked on #1984 (PR 2/5). 4/5 pgvector RAG next.
* fix(ai): guard PDF size + surface bank-statement truncation
- PdfProcessor and BankStatementExtractor raise upfront when
pdf_content.bytesize exceeds MAX_PDF_BYTES (32 MB, matching
Anthropic's hard limit). Previously a 100 MB PDF would be
base64-encoded (~133 MB) and packed into the JSON body before
the API rejected it — peak heap ~270 MB per Sidekiq worker.
- BankStatementExtractor inspects response.stop_reason; when the
model hit max_tokens it logs a warning and flags result[:truncated]
so downstream callers know the transaction list may be incomplete.
- ISO date pattern added to statement_period_start/end schema in
PdfProcessor so the model can't return "March 2026" — Anthropic
enforces the regex via the tool's input_schema.
Tests cover the size guard (raises before any client.messages call),
truncated-result flagging, and the warning log path.
* test(ai): require "ostruct" in Anthropic PDF tests
Match the explicit ostruct require added in PR1/PR2 — same Ruby 3.5+
load-path reason.
* feat(ai): default Anthropic installs to pgvector RAG (4/5)
The provider-agnostic vector store stack (VectorStore::Pgvector + the
Embeddable concern) already shipped to main. This PR closes the
Anthropic loop:
- VectorStore::Registry.adapter_name now returns :pgvector when
Setting.llm_provider == "anthropic" and no explicit
VECTOR_STORE_PROVIDER override is set. Anthropic has no hosted vector
store, so falling back to the local pgvector adapter is the only
correct default. Explicit VECTOR_STORE_PROVIDER still wins.
- SearchFamilyFiles surfaces a longer message when no adapter is wired
up — calling out pgvector + EMBEDDING_URI_BASE as the supported
Anthropic-only path so the user is not stuck with an "OpenAI required"
hint that is no longer accurate.
The Embeddable concern already pulls embeddings from
EMBEDDING_URI_BASE / EMBEDDING_ACCESS_TOKEN (with OpenAI as fallback),
so Anthropic installs point this at Voyage AI, a local Ollama instance,
or OpenAI embeddings — independent of the chat provider.
Tests cover the new default routing, the existing OpenAI default
staying intact, and explicit VECTOR_STORE_PROVIDER overriding the
Anthropic default.
Stacked on #1985 (PR 3/5). 5/5 settings UI + retention disclosure next.
* feat(ai): self-host settings UI for Anthropic provider (5/5)
Adds the Anthropic panel and the install-wide LLM provider selector to
the self-hosting settings page, plus a shared data-retention
disclosure that covers both OpenAI and Anthropic.
- New _llm_provider_selector partial: select for Setting.llm_provider
(openai | anthropic), respects the LLM_PROVIDER env var (disables the
control + shows the "configured through environment variables" hint
when set, mirroring the existing OpenAI panel behaviour), and renders
a compact data-handling block with one-line retention statements for
each provider.
- New _anthropic_settings partial mirrors _openai_settings exactly:
password-field for the API key with **** redaction, optional
base_url (for AWS Bedrock / GCP Vertex), optional default model. All
three fields disable when their ENV var is set.
- show.html.erb renders provider selector + OpenAI panel + Anthropic
panel under the same "General" section so users can configure either
(or both) without switching pages.
- Settings::HostingsController#update now permits and persists
anthropic_access_token (ignoring the **** placeholder, same pattern
as OpenAI), anthropic_base_url, anthropic_model, and llm_provider
(validated against %w[openai anthropic]). On Setting::ValidationError
the rescue branch preserves anthropic_base_url / anthropic_model
input so the form re-renders with the user's typed values intact —
parity with the issue #1824 fix for OpenAI.
- Locale keys added under settings.hostings.{llm_provider_selector,
anthropic_settings}.
Tests cover token update + placeholder redaction, base_url + model
update, llm_provider switch to anthropic, and rejection of unknown
provider values. The existing GET render test still passes, exercising
all three new partials.
Closes the 5/5 Anthropic series stacked on #1986.
* fix(ai): valid Tailwind token + base_url URL validation
- Data-handling block in _llm_provider_selector swaps the invalid
bg-surface-secondary token for bg-container-inset, matching the
inset-card pattern used elsewhere in sure-design-system/components.css.
bg-surface-secondary is not defined anywhere in the design system —
Tailwind treated it as a no-op, so the block rendered with no
background contrast.
- Settings::HostingsController validates anthropic_base_url as a
URI::HTTP (catches https too) and raises Setting::ValidationError
with a localized message when the input is not parseable.
Previously any string was persisted, surfacing as an opaque
connection error at request time instead of an immediate UX failure.
- Blank base_url now clears the setting (was already the case but
exercised explicitly in tests now).
* fix(ci): replace sk-ant- prefixed token in hostings controller test
Same pipelock secret-scan trigger as PR1 fix on registry/anthropic
tests. The sk-ant-* prefix is matched verbatim by the scanner
regardless of value entropy.
* fix(ai): provision pgvector table when it is the default store
#1986 makes pgvector the default vector store for Anthropic installs, but
CreateVectorStoreChunks only ran when VECTOR_STORE_PROVIDER=pgvector was set
explicitly — so a fresh Anthropic-only install migrated without the
vector_store_chunks table and failed on uploads/searches.
Add VectorStore::Registry.pgvector_effective? as the single source of truth
for "is pgvector active?" (explicit env OR the Anthropic default), and a new
idempotent migration that enables the extension + creates the table whenever
pgvector is effective and the table is missing — covering fresh and
already-migrated installs without drift. Addresses Codex P1.
* fix(ai): provision pgvector table for Anthropic-default installs
Migration gated on raw VECTOR_STORE_PROVIDER==pgvector, so an
Anthropic-default install (which selects pgvector implicitly via
Setting.llm_provider without setting VECTOR_STORE_PROVIDER) skipped
table creation and failed later on a missing vector_store_chunks
relation. Route through VectorStore::Registry.pgvector_effective? —
the single source of truth already shared by the adapter selection.
Addresses Codex P1 review finding.
* fix(ai): provision pgvector chunks table on schema-load installs
The ensure-migration only helps db:migrate upgraders. Fresh installs go
through bin/docker-entrypoint's db:prepare, which loads schema.rb (the
conditional table can't be dumped there — it needs the vector extension)
and marks every migration applied without running it. An Anthropic-only
fresh install therefore selected the pgvector adapter but had no table,
failing with raw PG errors on first upload or search.
Two layers close it:
- VectorStore::Pgvector#ensure_schema! provisions the table idempotently
on first use (mirrors CreateVectorStoreChunks; memoized; failures wrap
in VectorStore::Error, which with_response turns into a clean failed
response).
- VectorStore::Registry#build_pgvector now gates on
VectorStore::Pgvector.available? (table exists, or extension present),
so installs whose Postgres lacks pgvector entirely degrade to the
assistant's provider_not_configured message instead of raising
mid-chat.
Also resolves the schema.rb version conflict against main (keep the
branch's 2026_06_01_120000, on top of main's current tables).
* fix(ai): address review nitpicks on pgvector provisioning
- Registry: update the adapter doc comment to mention the
Anthropic-to-pgvector default alongside the openai fallback.
- ensure_schema!: guard the DDL with if_not_exists instead of a Mutex.
Adapter instances are built per call and never shared across threads,
so the realistic race is two processes (web + Sidekiq) provisioning
concurrently; IF NOT EXISTS makes the loser a no-op where a Mutex
would only serialize threads inside one process.
* fix(ai): address review on Anthropic settings UI
- Require an Anthropic model when a custom base URL is saved, mirroring the
OpenAI branch. Auto-submit-on-blur could persist a base URL with no model,
making Provider::Anthropic raise "Model is required..." on every LLM call.
- Narrow the LLM provider selector copy: only chat honors Setting.llm_provider;
categorization, merchant detection and PDF processing still always use OpenAI.
Stop advertising provider switching for those flows until they are wired.
- Reset global Setting.* in test teardown to prevent state leakage, and add a
test covering the new base-URL-requires-model validation.
* feat(ds): conditional LLM provider settings + merged copy
The self-hosting AI section showed both providers' credential blocks at once
and duplicated near-identical copy. Tidy it:
- Replace the provider <select> with a DS::SegmentedControl driving a new
provider-settings Stimulus controller: only the active provider's panel is
shown; switching reveals the other instantly and persists Setting.llm_provider.
- Merge the two byte-identical data-retention lines into one provider-neutral
Data handling note.
- Scope the token-budget copy to OpenAI-compatible calls (read only by
Provider::Openai) and add an inline 'add a key to activate' hint when the
active provider is unconfigured.
UI-only; no provider behavior change.
* feat(ds): responsive LLM provider picker (tabs >=sm, select on mobile)
The segmented tabs overflow a phone viewport once there are 3+ providers
(measured: 4 labels want ~409px in a 319px column at 390px wide). Below sm,
fall back to a native <select> -- which doubles as the submitted field -- while
keeping the segmented tabs at sm and up.
Both controls bind to the same provider-settings Stimulus controller (the
select reads its value, the tabs read data-provider), so adding a 3rd/4th
provider scales on mobile with no layout math.
* fix(hostings): sanitize llm provider selector
* test(hostings): avoid brittle provider hint assertion
---------
Co-authored-by: sure-admin <sure-admin@splashblot.com>
|