* feat(mcp): add get/create/update tools for tags and categories
* test(mcp): add tests for tag and category assistant functions
* fix(mcp): harden category/tag assistant functions against bad tool input
* refactor(mcp): use UuidFormat.valid? instead of local UUID_PATTERN
* chore(mcp): remove account_filter component files that don't belong in this branch
* feat(mobile): add SureFontWeights design tokens
Introduce named font-weight tokens so widgets reference a DS tier instead
of a raw FontWeight, mirroring the web design system's Tailwind weight
utilities (font-medium / font-semibold).
- design/tokens/sure.tokens.json: add font.weight.medium (500) and
.semibold (600) as the canonical source.
- generate_sure_tokens.mjs: emit SureTokens.weightMedium / weightSemibold
(with a font-weight resolver + validation), regenerate sure_tokens.dart.
- sure_tokens_test.dart: assert the generated weights match canonical.
- Migrate the dashboard-area money/hierarchy sites onto the tokens
(net_worth_card, account_card, dashboard, recent_transactions,
transactions_list): FontWeight.w500 -> SureTokens.weightMedium,
FontWeight.w600 -> SureTokens.weightSemibold.
Weight-only; other screens adopt the tokens in their own polish PRs.
166 tests pass; flutter analyze: no new issues; token generator --check
is clean.
* build(tokens): regenerate web _generated.css for new font weights
Adding font.weight.medium/semibold to sure.tokens.json also flows through
the web token generator (bin/tokens.mjs), which emits --font-weight-medium
and --font-weight-semibold. Commit the regenerated _generated.css so the
tokens:check gate stays green (node bin/tokens.mjs + git diff --quiet).
* test(system): de-flake account edit via account-menu
AccountsTest#assert_account_created opened the account menu and clicked
Edit immediately after visiting the account page. That page issues a
Turbo morph refresh shortly after load (turbo_refreshes_with :morph
reacting to a family-stream broadcast), which can detach the menu node
mid-click — "Selenium::WebDriver::Error: Node with given id does not
belong to the document" — or wipe the just-opened edit form. Capybara
does not auto-retry that inspector error, so the test flaked
intermittently in CI.
Extract open_account_edit_dialog, which retries the menu interaction
until the edit form is present, rescuing the transient detach/stale
errors. Mirrors the existing PropertyTest#open_account_edit_dialog
precedent for the same morph race, but also tolerates the click itself
raising while the refresh is in flight.
fix(settings): preserve scroll position in settings nav
The settings nav scrolled back to the top on every Turbo navigation.
preserve-scroll was applied to the nav element itself, but that element has no overflow - scrollTop was always 0, so nothing was ever saved.
Apply preserve-scroll to the actual scrollable container (the sidebar div with md:overflow-y-auto) and give it an id so the controller can key the saved position.
* fix(tinkoff): resolve the tradeable listing and price bonds via BondBy
Validated against the live T-Invest API and fixed three correctness issues in
Provider::TinkoffInvest:
- FindInstrument returns several listings per ticker (e.g. SBER on TQBR plus
dark/non-API boards 37M/SPEQ); only the apiTradeAvailableFlag listing has live
prices. resolve_short now ranks tradeable-first (then requested-MIC, then exact
ticker/ISIN) instead of taking the first match, so GetLastPrices/GetCandles
return data. Search now surfaces only tradeable instruments.
- find_instruments no longer hard-filters on apiTradeAvailableFlag, so a
qualified-investor instrument Tinkoff lists but can't API-trade still resolves
(for logos) and otherwise falls back to another price provider.
- Bond nominal comes from BondBy (the generic GetInstrumentBy omits it),
returning the current amortized nominal so percent-of-par converts correctly.
Verified end-to-end: SBER 313.65, T 282.76, LQDT 2.019, and the SFO Split bond
(amortized nominal 417.71) all price; logos resolve to real CDN PNGs.
* fix(tinkoff): honor requested MIC first, guard amortizing bonds, strip suffix
Address review feedback on the resolution/pricing path:
- resolve_short now ranks a requested-MIC match BEFORE tradeability, so a
security is never priced off another exchange's listing (e.g. a MISX security
no longer picks up a tradeable XSPX board's price); tradeability and exact
ticker/ISIN remain secondary tie-breaks.
- Amortizing bonds: BondBy returns only the current nominal, so applying it to
historical percent-of-par closes would underprice them. For amortizing bonds
we now return only the live price and skip the candle history; fixed-par bonds
and equities keep full history. bond_info exposes nominal + amortizationFlag.
- Strip exchange suffixes (.ME/.MOEX/.MISX/.MCX) before querying T-Invest, which
only knows the bare SECID — so a stored "T.MOEX" ticker resolves to "T".
* fix(tinkoff): don't cache nil resolution results (skip_nil) so a transient empty response isn't locked in for the 24h TTL
* feat(mobile): add SureCard primitive and migrate account cards
SureCard mirrors the web card chrome — `bg-container` + a hairline border +
rounded corners + the subtle DS shadow (`shadowXs`, from the scale shipped in
#2349) — resolved from the active SureColors palette so it stays in lockstep with
`sure.tokens.json` in light and dark. An optional `onTap` gives a flat ink
response clipped to the card radius.
Migrates AccountCard off the Material `Card` to `SureCard`.
Refs #2235.
* fix(coinstats): deterministic wallet batch order in bulk fetches
The bulk balance/transaction fetches built the "blockchain:address" param in
linked-account query order, which isn't stable across runs — so the batched
param (and its mocked expectations) varied seed to seed, intermittently failing
CoinstatsItem::ImporterTest and red-flagging unrelated PRs. Sort the wallets
before joining so the batch order is deterministic, and align the test
expectations to the sorted order.
* fix(mobile): tokenize swipe-reveal radius + cover SureCard dark theme
Address PR review:
- The account-card swipe-reveal background still used a hardcoded radius (12)
that mismatched SureCard's radiusLg (10) once the card was migrated — tokenize
it so the reveal corners line up during the swipe.
- Parameterize the SureCard chrome test over light + dark, since the card is
brightness-aware (catches palette regressions in either mode).
* test(mobile): assert SureCard onTap ink is clipped to the card radius
Address review nit: the onTap test claimed the ink is clipped to the card but
only checked the InkWell exists. Now it asserts the InkWell's borderRadius equals
SureTokens.radiusLg (tester.widget already enforces a single InkWell).
* feat(up): add Up Bank (AU) provider integration
Adds Up Bank as a per-family, token-based bank sync provider, modelled on
the existing Akahu integration. Up uses a JSON:API REST API with a personal
access token (Bearer), cursor pagination via links.next, and returns both
HELD (pending) and SETTLED transactions from one endpoint.
New:
- Provider::Up client (JSON:API unwrap, links.next pagination, retries,
typed errors, /util/ping) + Provider::UpAdapter (Factory-registered,
Depository + Loan).
- UpItem / UpAccount models with Provided, Unlinking, Syncer,
SyncCompleteEvent, Importer, Processor, Transactions::Processor, and
UpEntry::Processor (amount sign flip, HELD->pending, foreignAmount FX,
merchant from description, stale-pending pruning).
- Family::UpConnectable, UpItemsController, routes, settings panel + connect
flow views, accounts index wiring, initializer, en locale, and model tests.
Core wiring:
- "up" added to Transaction::PENDING_PROVIDERS, the three pending-match SQL
blocks in Account::ProviderImportAdapter, Provider::Metadata::REGISTRY,
ProviderMerchant/DataEnrichment source enums, ProviderConnectionStatus,
settings provider panels, and financial data reset.
Migration create_up_items_and_accounts must be run before use. No external
API endpoints added (no OpenAPI changes).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* fix(up): dump up tables to schema and make since filter TZ-safe
The feature commit added the up_items/up_accounts migration but never
re-dumped db/schema.rb, leaving the schema version and tables stale.
Add the two table definitions and foreign keys and bump the schema
version so a fresh DB load matches the migration.
Also format a bare Date `since` as UTC midnight instead of the server's
local zone, so `filter[since]` is deterministic regardless of where the
app runs (previously shifted by the local UTC offset).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* fix(up): address code review feedback
Behavior/correctness:
- Persist skipped accounts via a new up_accounts.ignored flag and a
needs_setup scope, so skipped accounts stop resurfacing as "needs
setup" on every sync. Linking clears the flag.
- destroy now checks unlink_all! per-account results and aborts deletion
(alert) if any unlink failed, instead of swallowing failures.
- render_provider_panel_error redirect uses :see_other (was an invalid
4xx redirect status).
- Up provider adapter falls back to item institution name/url when
institution_metadata is absent (early return previously blocked it).
Resilience/security:
- fetch_all_resources guards against an API repeating the same
links.next cursor (Set#add?), preventing infinite pagination.
- HTTP client validates absolute URLs (from links.next) against Up's
HTTPS host before sending the bearer token, preventing credential
leakage to untrusted hosts.
Diagnostics:
- Route provider sync/import failures through DebugLogEntry.capture
(controller, UpItem, syncer, unlinking) with family/account context.
Low-level HTTP client and currency-normalization warnings keep
Rails.logger to match existing provider conventions.
Data integrity:
- up_accounts.name and currency are NOT NULL (align with model presence
validations); account_id stays nullable (allow_nil uniqueness).
Forms:
- select_existing_account radio is required; controller guards a blank/
unknown up_account_id with a friendly alert instead of RecordNotFound.
Tests:
- Add UpAccount needs_setup scope test, pagination loop guard test,
untrusted-host rejection test; tighten filter[since] assertion to the
exact UTC timestamp.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* fix(up): address second-round review feedback
- Capture sync/import failures via DebugLogEntry so swallowed errors in
account/transaction fetching and transaction processing surface in
/settings/debug instead of only Rails.logger.
- Gate UP_DEBUG_RAW raw payload dump to local envs to avoid leaking PII
(merchant names, amounts, account IDs) in managed/production logs.
- Collapse linked/unlinked/total account counts into one memoized query
instead of 3 separate COUNTs per rendered item.
- Rename "Set Up Up Accounts" locale title to "Link Up Accounts".
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
* docs(up): add method docstrings and align failed_result keys
Add docstrings to all Up provider source files (controller, models,
providers, concerns) to satisfy the 80% docstring coverage threshold.
Third-round review: failed_result now mirrors import's result shape
(accounts_updated/created/failed, transactions_imported/failed) instead
of the stale accounts_imported key, so failure results stay consistent.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Build fresh API session contexts instead of reusing persisted web sessions that may carry impersonation state.
Reject deactivated report export API key owners and strengthen regression coverage for API key, OAuth, and report export authentication paths.
Adds Provider::TinkoffInvest, a token-based securities provider built on the
public T-Invest REST gateway (invest-public-api.tinkoff.ru/rest). It serves
prices for Russian instruments (shares, ETF/БПИФ, bonds) and, crucially, brand
logos via the T-Invest CDN — the authoritative logo source for MOEX
instruments, which ISS (MoexPublic) does not provide.
- Registry: register `tinkoff_invest` under the :securities concept; token via
ENV TINKOFF_INVEST_API_KEY or encrypted Setting.tinkoff_invest_api_key.
- Logos independent of the price provider: Security#import_brand_logo consults
T-Invest for a logo whenever a token is configured (after the price-provider
metadata fetch, so it never short-circuits website_url backfill). Gated on
token presence, not the securities checklist.
- display_logo_url: with no website domain, a stored provider logo (T-Invest)
now beats the ticker-only Brandfetch lettermark; when a domain exists,
Brandfetch still wins (unchanged).
- MoexPublic no longer reports moex.com as the issuer website — it's the
exchange, not the issuer, and would make Brandfetch render the exchange logo
for every instrument and shadow the real brand logo.
- Prices: GetCandles (daily, paged) + GetLastPrices; Quotation units+nano/1e9;
bonds priced as percent-of-par x nominal (missing nominal raises, not 0).
- Settings: encrypted token field (always shown) + provider checkbox + en locale.
- Tests for search/info/logo-url/prices/bond/incomplete-candle and display logic.
Co-authored-by: Claude <noreply@anthropic.com>
* perf(reports): avoid residual category lazy loads
* test(reports): reuse SQL query capture helper
Move the reports SQL capture regression helper into test/support and document the category loading and budget reload choices called out in review.
* perf(dashboard): streamline investment activity totals
* fix(dashboard): skip empty investment totals cache writes
Short-circuit empty investment account totals before cache fetch and move the new SQL query capture regression helper into test/support.
* refactor(dashboard): address review on investment totals query
- Drop defensive ArgumentError guards in InvestmentStatement::Totals#initialize.
The sole caller (totals_query) always passes correct types, and the
empty_result early-return already handles the zero-accounts case.
- Remove the redundant accounts JOIN and its family_id/status filters from the
aggregation SQL. account_ids is already scoped to the family's visible
(draft/active) investment accounts, so the join back to accounts is
unnecessary work in the query plan. Drop the now-unused family_id param.
- Add a regression assertion that the aggregate no longer joins accounts.
* feat(prices): add Moscow Exchange (MOEX ISS) securities + FX provider
Add Provider::MoexPublic, a keyless provider built on the free MOEX ISS API
(https://iss.moex.com/iss), modeled on Provider::BinancePublic.
Securities: shares, funds/ETF/БПИФ (e.g. LQDT), and bonds (OFZ + corporate).
Bonds are priced clean — LAST% × FACEVALUE / 100 in the instrument currency,
with per-row FACEVALUE for amortizing issues; NKD/accrued coupon excluded.
Exchange rates: also implements ExchangeRateConcept for RUB↔{USD,EUR,CNY} via
selt TOM instruments (USD000UTSTOM/EUR_RUB__TOM/CNYRUB_TOM); the selt quote is
X/RUB, inverted for RUB→X, nil for non-RUB-crossed pairs.
Details:
- Board/engine resolution via the ISS primary-board flag with a hardcoded
priority fallback (TQBR, TQTF, TQOB, TQCB, …).
- Instrument currency from CURRENCYID/FACEUNIT (handles USD/CNY eurobonds &
FX funds), normalizing legacy SUR/RUR → RUB; default RUB.
- Full history via from/till + start= pagination; current price fallback chain
LAST → MARKETPRICE → LCURRENTPRICE → LCLOSEPRICE → PREVPRICE → latest history
close.
- Bare SECID identity, exchange_operating_mic=MISX, country_code=nil (wildcard
like Binance); search accepts .ME/.MOEX/.MISX/.MCX aliases and ISIN.
- RateLimitable throttling, SslConfigurable, Faraday retry/timeouts; all public
methods wrapped in with_provider_response.
Wired into Provider::Registry for both :securities and :exchange_rates, the
hosting provider-selection UI, locales, and config/exchanges.yml (MISX).
Docker-tested (devcontainer, Ruby 3.4.9): 29 new tests green, full provider
suite + i18n green, rubocop clean; smoke-tested against live ISS (SBER price,
OFZ clean price, USD/RUB FX).
* fix(moex): address review — FX weekend lookback, dead branch, translated hints
- fetch_exchange_rate now fetches a 10-day lookback window (not just the exact
day) so a weekend/holiday request resolves to the prior trading day's close,
matching Yahoo's behavior (Codex P2).
- Remove dead identical if/else branches in history_row_price (CodeRabbit).
- Translate moex_public_hint into ca/fr/hu/vi/zh-CN instead of English copy
(CodeRabbit).
- Add a test covering the FX prior-trading-day lookback.
* fix(moex): guard ISS date parsing; doc TQTE in board priority
Address maintainer review (jjmata):
- parse_iss_date wraps Date.parse so a malformed ISS TRADEDATE skips just that
row (with a contextual log warning) instead of failing the whole history/FX
fetch. Used in history_row_price and fx_history.
- Add TQTE to the BOARD_PRIORITY doc comment (it was in the constant but missing
from the comment).
- Add a test covering the unparseable-date skip.
* fix(prices): resolve dashed crypto tickers (BTC-USD, TRX-USD) via BinancePublic
Provider::BinancePublic is the dedicated crypto price provider, but its
search_securities only matched bare base assets ("BTC") or unseparated
Binance pairs ("BTCUSDT"/"BTCUSD"). The canonical "<BASE>-USD" form that
Yahoo emits and users paste (e.g. "TRX-USD", "USDT-USD") never matched, so
those holdings fell through to an unpriced offline security whenever the
stock provider didn't also return the coin.
Collapse the base/quote separator in the search query (and strip it in
parse_ticker) so "BTC-USD" / "TRX/USDT" are treated like "BTCUSD" and
resolve to live Binance pricing. Stablecoins pasted as "USDT-USD" resolve
to the synthetic USD price via their stripped base.
* fix(prices): only synthesize stablecoin search for USD quote
Address review: gate the synthetic stablecoin result on a USD quote (bare
coin or "<coin>USD" form). A non-USD quote like "USDTEUR" / "USDT-EUR"
has a real Binance pair and now falls through to normal matching instead of
being replaced by the USD synthetic. Drops the now-unused base_asset_query
helper. Adds a USDT-EUR regression test.
Import::UploadsController#update persists CSV uploads with
save!(validate: false), which skips the before_validation
:ensure_utf8_encoding callback. Non-UTF-8 files (e.g. ISO-8859-1 /
Windows-1252 exports from Brazilian banks) were written to the text
column as-is and rejected by Postgres with PG::CharacterNotInRepertoire,
surfacing as a 500 during upload.
Also register ensure_utf8_encoding on before_save so the existing
normalization (rchardet detection + Latin-1/Windows fallback) still runs
when validations are skipped. The callback is idempotent and no-ops on
valid UTF-8, so the validated path is unchanged.
Fixes#2294
* fix(assistant): include transaction name in get_transactions MCP output
get_transactions already loads `entry = txn.entry` but only emits
`merchant`, which is null unless a merchant is assigned. As a result MCP
clients receive transactions with no identifying name. Add `entry.name`
(the description shown in the UI and returned by the REST API) at zero
extra query cost.
* fix(assistant): include transaction name in get_transactions MCP output
get_transactions already loads `entry = txn.entry` but only emits
`merchant`, which is null unless a merchant is assigned. As a result MCP
clients receive transactions with no identifying name. Add `entry.name`
(the description shown in the UI and returned by the REST API) at zero
extra query cost.
Replaces window.location.href with Turbo.visit for SPA-consistent
navigation, matching the pattern used across internal navigation in
the codebase (selectable_link_controller, trade_form_controller, etc.).
The Account#subtype= writer delegates to accountable&.subtype=, which is a
silent no-op while the accountable is nil. On create the accountable is built
from accountable_attributes via accepts_nested_attributes_for, but the form
submits subtype as a top-level account attribute. Mass-assignment applies
subtype before accountable_attributes, so the selected subtype was dropped on
create (update worked because the accountable already exists).
Build the accountable from the delegated type inside the writer when it is not
yet present, so the value is preserved; the later accountable_attributes
assignment (update_only) updates the same record.
Add regression tests covering the create flow and the assignment ordering.
Adds YnabImport (mirroring ActualImport) for YNAB "Export budget" register CSVs:
- Amount — combines the split Outflow/Inflow columns into a single signed amount
(inflow - |outflow|), stripping currency symbols and thousands separators. A
single signed Amount column takes precedence when present.
- Category — resolves across export shapes: the combined "Category Group/Category"
column, the split "Category Group" + "Category", or legacy YNAB 4
"Master Category" + "Sub Category".
- Names — falls back from a blank Payee to the Memo, then the default row name.
- Validation — requires at least one amount source (Outflow/Inflow or Amount); a
file exposing none leaves rows un-clean instead of importing zero-dollar entries.
Enables the previously-disabled YNAB option on the imports screen (using the YNAB
logo, like Mint) with its configuration partial, and removes the now-dead
imports.new.coming_soon locale key. Documents the type in the API import-type
enums (rswag request spec + swagger_helper + generated openapi.yaml).
Closes#1255.
* feat(security): warn when ActiveRecord encryption is not configured
Self-hosted instances without explicit ACTIVE_RECORD_ENCRYPTION_* keys (or Rails credentials) store sensitive columns - API keys, provider/bank tokens, the MFA (TOTP) secret, and PII - unencrypted at rest. The app boots and works normally so this plaintext at rest state is easy to miss.
Change: Make it visible:
- log a clear startup warning (config/initializers/encryption_warning.rb)
- show a warning banner on /settings/security when encryption is unconfigured
* refactor(security): apply review feedback on encryption warning
- list the three ACTIVE_RECORD_ENCRYPTION_* keys in the banner, rendered via the DS::Alert content block to match the log
- drop the redundant respond_to?(:self_hosted?) guard in the initializer so it matches the controller check
- add a managed-mode test asserting the banner is hidden
When a rule is re-applied from the UI, RulesController passes
ignore_attribute_locks: true, but Enrichable#enrich_attributes still
rejected locked attributes unconditionally, so locked (manually edited
or import-locked) transactions were silently skipped and reported as
blocked.
Thread the flag through enrich_attribute/enrich_attributes as a new
ignore_locks keyword (default false, so provider syncs and AI
enrichment keep respecting locks) and pass it from the six synchronous
rule action executors.
Fixes#2051
* fix(jobs): enqueue jobs after transaction commit to fix SyncJob deserialization race
Syncable#sync_later creates a Sync row and enqueues SyncJob inside the
same transaction. Rails 7.2 deferred such enqueues until commit by
default; Rails 8.0 changed the default to enqueue immediately and 8.1
left the global config toggle non-functional, so a worker could dequeue
the job before COMMIT, fail to resolve the Sync GlobalID
(ActiveJob::DeserializationError), and have it silently dropped by
discard_on -- surfacing as stuck syncs after the Rails 8.1 upgrade.
Set enqueue_after_transaction_commit = true on ApplicationJob (the
Rails 8.2 default, inherited by every job) and drop the dead :never
symbol override on DestroyJob. Add regression and invariant tests.
* test(jobs): use OpenStruct for DestroyJob failure case
Replace the bare mock and the respond_to? expectation (an implementation
detail of how DestroyJob probes the model) with an OpenStruct that genuinely
responds to scheduled_for_deletion. Keeps only the command-facing assertions:
destroy raises and update! is called with scheduled_for_deletion: false.
Matches the repo convention of preferring OpenStruct for mock instances.
* test(snaptrade): assert connection-cleanup enqueue defers until commit
SnaptradeAccount#after_destroy enqueues SnaptradeConnectionCleanupJob, which
references the item/account by id. Before the ApplicationJob fix, Rails 8.1
enqueued it immediately inside the destroy transaction, so a worker could run
before COMMIT, see the not-yet-deleted row in its shared-authorization guard,
skip the provider call, and leak the SnapTrade connection. This regression
test destroys an account inside a transaction and asserts the job is not
enqueued until the transaction commits.
* feat(dashboard): masonry packing + per-widget size controls
In two-column mode the dashboard used a row-based CSS grid, so cards
stretched to equal row height and left dead space (e.g. the Net Worth
chart padded out to match the tall Balance Sheet table). Replace the
row-based layout with masonry packing and add per-widget size guardrails.
- Masonry: CSS grid with computed row-spans + grid-auto-flow: dense, driven
by a dashboard-masonry Stimulus controller (ResizeObserver + turbo:frame-load).
The DOM stays a single flat list, so drag/keyboard reorder is unaffected.
Active only in multi-column mode; single column falls back to normal flow.
- Internal sizing: the net worth chart height is now driven by a
--dash-widget-h CSS var (fixes an inert flex-1) so the card no longer pads
out below the chart.
- Guardrails: per-widget layout metadata (col_span, grow, min_height,
width_toggle) in PagesController, with per-user overrides persisted under
preferences["dashboard_section_layout"], deep-merged so width and height coexist.
- Size menu: a hover control on size-capable cards — Width (Half/Full) for the
cashflow sankey and net worth chart, Height (Compact/Auto/Tall) for grow
widgets. The sankey defaults to full width.
Adds model + controller tests for preference persistence and i18n keys.
* refactor(dashboard): redesign size menu with segmented controls
The size menu used a plain radio list and a diagonal maximize-2 trigger that
collided with the cashflow sankey's modal-expand button. Replace it with a
layout-config popover: a sliders-horizontal trigger plus two labeled axis
groups (Width, Height), each rendered as a DS::SegmentedControl with the
active option filled. Clearer, more compact, and it reads as a card-layout
control. The widget-size controller now mirrors the segmented control's
active-class + aria-pressed contract.
* feat(dashboard): expose width toggle on balance sheet and investments
Tables benefit from horizontal room, so give Balance Sheet and Investments
the same Width (Half/Full) control as the sankey and net worth chart. Height
presets stay chart-only — a table sized to a fixed height would just add
whitespace or force scrolling. The Outflows donut is intentionally left out
(full width is mostly whitespace for a donut).
* fix(dashboard): address review feedback on size controls
- Only apply the full-width col-span and show the Width control when the
two-column layout is enabled. A full widget previously leaked
2xl:col-span-2 into the single-column grid, creating an implicit second
column at 2xl widths and breaking the single-column preference. This also
keeps the Width control coherent with the Appearance two-column setting
(it now appears only where it does something). [Codex]
- Stop size-menu keydowns from bubbling to the section reorder handler, so
keyboard users can open the menu and pick options without entering
grab/reorder mode. [Codex]
- Harden preferences params: ignore a malformed (non-hash)
dashboard_section_layout / collapsed_sections instead of raising a 500,
and require section_order to be an array. [CodeRabbit]
- Localize the dashboard sections aria-label. [CodeRabbit]
* chore(settings): mention per-widget size controls in two-column copy
Surface the new per-widget width/height controls in the Appearance
"Two-column layout" description so the capability is discoverable.
* test(dashboard): assert non-mutation for malformed layout input
Addresses review feedback: asserting assert_nil made the test depend on
the fixture happening to have no dashboard height for net_worth_chart.
Capture the pre-PATCH value and assert it is unchanged, so the test
stays valid (malformed input ignored) even if the fixture later gets a
default height.
---------
Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: Guillem Arias <guillem.arias@col.vueling.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
* test: cover CoinStats missing-wallet balance preservation
* fix: preserve CoinStats balances when wallet data is missing
* chore: route CoinStats sync warnings to debug log
* docs: make debug log guidance timeless
---------
Signed-off-by: Juan José Mata <juanjo.mata@gmail.com>
Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
Commit 5d0eb7f4 replaced the color picker's DS::Disclosure with a raw
<details> because DS::Disclosure wraps its body in an mt-2 div, and that
normal-flow margin shoved the form down ~8px whenever the absolutely-
positioned picker popover opened. DS Drift Patrol flagged the raw
<details> in #2272 and #2316.
Add a body_class: option to DS::Disclosure (default mt-2) so callers can
drop the body margin, and migrate the color picker back onto the
component with body_class: nil. The summary's accessible name moves from
aria-label to an sr-only span in the summary content (verified: the
summary still reads as "Choose color and icon").
The LLM usage table (Settings → AI usage) and the rules recent-runs table
used hardcoded color classes instead of design-system tokens:
- `divide-gray-100` separators — a fixed light gray with no dark-theme
variant, so the row dividers render wrong in dark mode.
- Raw reds for failed rows (`bg-red-50`/`bg-red-950`, `text-red-500/600`).
Swap to the canonical tokens used by every other table (settings/debugs,
admin/users, …):
- divide-gray-100 -> divide-alpha-black-200 theme-dark:divide-alpha-white-200
- bg-red-50 / bg-red-950/30 -> bg-red-tint-5 / bg-red-tint-10
- text-red-* -> text-destructive (via the icon helper's color: param)
Token-only; no structural or behavior change.
Co-authored-by: Guillem Arias <guillem.arias@col.vueling.com>
The dialog close button rendered as a :md icon button (44x44px with a
20px glyph) — noticeably larger than the dialog's own action buttons
(36px tall) and visually heavy next to the title. Pass size: :sm so the
close control is 32x32px with a 16px glyph, matching the action row's
weight. 32px still clears the WCAG 2.5.8 (AA) 24px minimum target.
* fix(chat): clear the assistant message bubble when a turn is destroyed
When an assistant turn fails before any text streams (e.g. a provider
auth/model/network error on the first call), Assistant::Builtin#respond_to
destroys the still-pending message. Message only broadcast on create and
update, never on destroy, so the rendered 'Thinking…' bubble was never
removed — the chat appeared stuck thinking forever even though the job
had already errored (and appended an error via chat#add_error below it).
Add after_destroy_commit broadcast_remove_to so a destroyed message is
removed from the page.
* refactor(chat): trim destroy-broadcast comment to one line
Project convention asks for comments only when the why is non-obvious; the
behaviour is already covered by the commit/PR description. Per review feedback.
---------
Co-authored-by: Guillem Arias <guillem.arias@col.vueling.com>
* fix(settings): give the MCP copy button success feedback
The MCP server URL Copy button copied to the clipboard but showed no
feedback. It is a DS::Button (single icon), but clipboard_controller's
showSuccess() unconditionally toggled iconDefault/iconSuccess targets —
which that markup does not have — so it threw right after the copy and
the user saw nothing.
Guard the icon-swap path (still used by invite codes, MFA and profiles)
and add a fallback that briefly flips the button's own label to Copied!
via a new copiedText value. Wire it up on the MCP page.
* fix(settings): capture copy button before async clipboard resolve
event.currentTarget is null by the time the writeText().then() callback
runs (it's only valid during event dispatch), so showSuccess received
null and the label never flipped. Capture the button synchronously in
copy() and pass it through. Verified in-browser: Copy -> Copied! -> Copy.
* refactor(clipboard): unify feedback reset delay, harden label lookup
Extract a shared RESET_DELAY_MS so the icon-swap and label-flash paths last the
same duration when both copy buttons render on one page. Scope the label lookup
to span.truncate (the DS::Button text node) so it ignores any future icon span.
Per review feedback.
---------
Co-authored-by: Guillem Arias <guillem.arias@col.vueling.com>
The four inline (non-DS::Tooltip) tooltips had drifted: three used
p-2 rounded w-64, one used p-3 rounded w-72 with shadow-lg, and all used
rounded (4px) where DS::Tooltip uses rounded-md (6px). Unify them on
p-2 rounded-md w-64 — radius now matches DS::Tooltip and the lone
p-3/w-72/shadow-lg outlier is gone, so the dark tooltips read
consistently.
The cashflow sankey zoom-out button sat in a bare flex justify-start
row. Because the dashboard section body has no horizontal padding (just
py-4), the button rendered flush against the card's left edge — 16px
left of the section header title and out of line with the rest of the
widget. Add px-4 to the button row so it aligns with the header,
matching the _net_worth_chart widget's px-4 header row.
The dashboard two-column layout preference only added 2xl:grid-cols-2
(>=1536px), but the setting copy promises two columns on large screens.
On any display narrower than 1536px (most laptops, ~1280-1440px) the
toggle did nothing. Lower the breakpoint to xl (>=1280px) so it engages
on the screens users actually have while keeping widgets wide enough to
stay usable.
The goals status callout colored its entire body (icon, label and
context) with text-warning / text-success / text-secondary, so a
behind goal rendered as all-yellow text. That diverges from the
DS::Alert recipe, where tinted boxes keep neutral body text
(text-primary) and only the icon carries the status color. Drop the
text-* tokens from the container, add text-primary, and move the
warning/success color onto the icon via color:.
* chore(deps): upgrade Rails 7.2 → 8.1
Rails 7.2 reaches end of life on 2026-08-09. Bump the framework to the
current 8.1.x line.
- Gemfile: rails "~> 8.0" (resolves 8.1.3); bundle update rails pulls the
Rails 8 framework gems plus the bumps it requires — ViewComponent
3.23 → 4.x (Rails 8 support), rails-i18n 7 → 8, rswag, and transitive deps.
- app/models/transfer.rb: make Transfer#date nil-safe
(inflow_transaction&.entry&.date). Rails 8's date_field evaluates the
field default on a new/unpersisted Transfer (the new-transfer form), where
the association is nil; without this, TransfersController#new raises
"undefined method 'entry' for nil". Matches the &. pattern already used in
Transfer#sync_account_later.
Framework behavioral defaults are unchanged (config.load_defaults stays as-is).
Validated on Rails 8.1.3: zeitwerk:check passes, full suite green
(4904 runs, 0 failures, 0 errors), rubocop and brakeman clean.
* fix(rails8): style textarea + deterministic property edit system test
The Rails 8 gem bump kept config.load_defaults at 7.2, but Rails 8 renamed
two ActionView::Helpers::FormBuilder field helpers regardless of defaults:
:text_area → :textarea and :check_box → :checkbox. StyledFormBuilder builds
its styled helpers from `field_helpers`, so `form.text_area` (e.g. the
account "Notes" field) silently fell through to the unstyled base helper and
rendered without a label — failing 8 system tests with
`Unable to find field "Notes"`.
- app/helpers/styled_form_builder.rb: exclude both spellings of the
non-text helpers (:check_box and :checkbox) and alias the legacy
`text_area` to the Rails 8 `textarea` so existing call sites stay styled.
Harmless on Rails 7.2 (old names present instead).
- test/system/property_test.rb: open the property edit dialog via the
account menu with a retry. The account page issues a Turbo morph refresh
shortly after load (turbo_refreshes_with :morph + a family-stream
broadcast); opening the modal while that refresh is in flight let the
morph re-render the page and wipe the just-loaded #modal turbo-frame.
Rails 8 timing made the race deterministic. Retrying once the refresh has
settled makes the test stable (confirmed via Turbo frame-load vs
full-page morph event traces; 3x green in isolation).
- config/brakeman.ignore: the added comment block shifted the pre-existing
(already-ignored, Weak) class_eval Dangerous Eval warning from line 5 -> 10,
changing its fingerprint. Re-point the existing suppression to the new
fingerprint/line so scan_ruby stays green.
Validated on Rails 8.1.3: full system suite green
(92 runs, 355 assertions, 0 failures, 0 errors), rubocop clean,
brakeman 0 warnings, CodeRabbit no findings.
* chore(deps): pin rails to the 8.1 minor line (~> 8.1.0)
Tighten the constraint from `~> 8.0` to `~> 8.1.0` (>= 8.1.0, < 8.2) so a
future `bundle update rails` tracks the 8.1.x line rather than silently
jumping to 8.2 when it ships. Matches the upgrade plan's stated intent
(target 8.1.x for the EOL runway) and a review note on #2301.
No resolved-version changes: bundle install keeps rails at 8.1.3 and every
other locked gem unchanged — only the Gemfile.lock DEPENDENCIES constraint
line moves. zeitwerk:check still passes; the already-green unit/system
suites ran on this exact resolved tree.
* chore(rails8): adopt Rails 8.1 framework defaults (config.load_defaults 8.1)
The gem bump above kept config.load_defaults at 7.2 so the change set could be
reasoned about in stages; this finalizes the upgrade by adopting the modern
framework defaults now that the suite is green on Rails 8.1.
Rails 8.0 added no new framework defaults (there is no new_framework_defaults_8_0
template), so 7.2 -> 8.1 is the single meaningful step. No incremental
new_framework_defaults_8_1.rb opt-in file is needed: the full suites pass with all
8.1 defaults enabled at once.
The 8.1 defaults this turns on include action_on_path_relative_redirect=:raise
(open-redirect hardening), raise_on_missing_required_finder_order_columns,
escape_json_responses=false / escape_js_separators_in_json=false (JSON perf), and
Ruby-parser template-dependency tracking.
Validated with no application code changes: bin/rails test 4904/0/0,
bin/rails test:system 92/0/0, rubocop + brakeman clean.
* chore(ci): restore brakeman CheckEOLRails now that the app is on Rails 8.1
config/brakeman.yml existed only to skip brakeman's CheckEOLRails. That check
fires on the calendar (it warns 60 days before a framework's EOL and escalates
as the date nears), so Rails 7.2's 2026-08-09 EOL turned `bin/brakeman` red
(exit 3) on every branch and on main regardless of the diff. The skip carried a
TODO to remove it once Sure upgraded off 7.2.
This PR puts the app on Rails 8.1 (EOL well in the future), so the skip is
obsolete; remove the file (its sole content was the skip) in the same change that
makes it unnecessary -- no stale-config window. brakeman auto-loads the file when
present and falls back to defaults when absent, and nothing references it
explicitly. CheckEOLRuby was already enabled and is unchanged; config/brakeman.ignore
is untouched.
Validated on Rails 8.1: bin/brakeman runs EOLRails + EOLRuby, 0 warnings,
0 errors, exit 0.
The New-goal action row used mb-3 while the search row below it uses mb-4. When
search is hidden, the New-goal row is the last element before the grid, so the
gap-to-grid was mb-3; with search it was mb-4 -- inconsistent depending on
state. Bump to mb-4 so the gap is uniform either way.
(Audit Group-2 spacing: the other candidates did not hold up on inspection --
providers already has a space-y-4 gap, budgets' 'doubled' gap is correct
sequential spacing for 3 elements, dashboard's empty-state gap is unverifiable
without an account-less family. So this is the only real one.)
Consolidate the bespoke header card + filter card into one settings_section
(title + subtitle) -- the canonical surface + an h2 (was a second
<h1 font-semibold> below the layout's page-title h1, a heading-level + weight
break). The log table stays an edge-to-edge bg-container card on purpose
(settings_section's p-4 would inset it and float the thead).
Left as follow-ups: the filter inputs' 10x repeated class strings (shared
partial) and the bespoke empty state -> DS::EmptyState (needs #2143 on main).
Page is super-admin-gated (Admin::BaseController), not renderable in the demo;
verified via erb_lint + headless ERB compile + no-stray-markup grep.
Two literal-color outliers in app/views/settings/providers/, both fixed by
matching the sibling panels in the same directory:
- _mercury_panel: the per-item initial avatar used bg-blue-600/10 + text-blue-600.
Every other settings/providers panel renders this generic avatar neutral
(akahu/brex use bg-surface|bg-container-inset + text-primary). The literal blue
was also a dark-mode contrast risk. -> bg-surface + text-primary.
- _ibkr_panel: the 'not configured' status dot used a literal bg-gray-400 while
the sibling brex panel's equivalent dot uses the bg-surface-inset token (paired
with bg-success for the configured state). -> bg-surface-inset.
Token-only swaps, theme-safe, no layout change.
* Update trades api with support for additional types
* rubocop fixes
* fix missing amount validation for interest type
* define missing schema reference
* fix test api_headers to use display_key per guidelines
* expand test coverage
* replaced duplicate JSON response blocks with helper method
* Add DB assertions to linked transfer test and fix invalid date test
* update brakeman.ignore fingerpint for refactored code
* Update the Brakeman ignore note to document validation for newly permitted keys
* fix API key auth in Minitest test to follow correct pattern
* update required in trades rswag spec to match the minimum fields that apply to all types
* extract dividend handling from build_investment_trade_params to dedicated method
* adjust response format to use the existing jbuilder views for Transfers and Transactions
* normalize type before passing to create form
* validate amount as a positive numeric value + tests
* rubocop fixes
* Add missing Trades API test coverage and docs
- Add Minitest tests for withdrawal (422, transfer linking), interest
(explicit ticker), and dividend update
- Add rswag 401/403/404/422 response docs for create, update, destroy
- Regenerate docs/api/openapi.yaml
* Update Security.find line reference in brakeman.ignore note
* Mark TransactionResponse account_type as nullable in rswag docs
* feat(cashflow): deep-link category labels to filtered transactions
Clicking a category's text label in the dashboard cashflow Sankey chart
now navigates to the transactions page filtered by that category and the
cashflow's active period date range. The colored node bar keeps its
existing zoom-into-subcategories behavior; structural nodes (Cash Flow,
Surplus) do not navigate.
URL-building lives in a pure, unit-tested utils/transactions_filter_url
module (mirroring utils/sankey_zoom) pinned in the importmap. Period dates
are threaded from the dashboard view into the Stimulus controller via data
values. This matches the existing donut chart's click-to-filter behavior.
* Update app/javascript/controllers/sankey_chart_controller.js
Co-authored-by: Guillem Arias Fauste <gariasf@proton.me>
Signed-off-by: Will Wilson <will@willwilson.uk>
---------
Signed-off-by: Will Wilson <will@willwilson.uk>
Co-authored-by: Guillem Arias Fauste <gariasf@proton.me>
PlaidAccount::TypeMappable maps the Plaid loan subtypes "home equity",
"line of credit", and "business" to home_equity, line_of_credit, and
business — but Loan::SUBTYPES never defined them. Linking any such
account (e.g. a HELOC reported by the institution as loan/"line of
credit") makes the item's sync fail with:
Validation failed: Accountable subtype is not included in the list
and, because Link itself succeeded, the failure is silent in the UI
(same UX gap as #1792).
Add the three subtypes to Loan::SUBTYPES, and add a regression test
asserting every subtype emitted by TYPE_MAPPING is valid for its
accountable so the mapper and models can't drift apart again.
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
* fix(sharing): scope import account selects to accessible_by (#1803)
Three CSV / QIF account selects in import/uploads/show.html.erb and one
PDF-import account select in imports/_pdf_import.html.erb pulled their
options from `@import.family.accounts`. That listed every account in
the family — including the family admin's unshared personal accounts —
in the dropdown shown to any member running an import. Swap each call
site to `Current.user.accessible_accounts` (owned + explicitly shared
accounts only), matching the existing scoping used by the dashboard
sidebar, transactions controller, transfers controller, etc.
Adds a regression test that signs in as family_member and asserts the
unshared-account names from the dylan_family fixtures never appear in
the rendered upload page.
* test(import): scope leak assertions to account select (#2194 CodeRabbit)
CodeRabbit nitpick: assert_match on response.body could pass/fail on
text outside the account dropdown (sidebar, breadcrumb, error message,
etc.) and gave false confidence in the refute_match exclusions. Switch
to assert_select 'select[name="import[account_id]"] option', text: …
so the assertions only see the option nodes the leak test actually
cares about.
* test(import): cover PDF account-select scoping; pluck PDF partial (#2194 review)
jjmata: the _pdf_import.html.erb scoping change was not covered by the
existing test (which only hit /import/uploads). Add a regression test
hitting GET /imports/:id with a PdfImport fixture, asserting the
account dropdown options match accessible accounts only.
Also swap the PDF partial's accounts.map { |a| [a.name, a.id] } for
.pluck(:name, :id) to match the .pluck pattern the other three CSV/QIF
selects already use.
* test(import): stub pdf_uploaded? on PDF leak test (#2194 ci)
The new regression test hit ImportsController#show which redirects to
the upload page when @import.pdf_uploaded? is false. The pdf_with_rows
fixture has neither a pdf_file attached nor a statement, so the
redirect fired before the partial under test ever rendered, failing
with 302 in CI. Stub PdfImport#pdf_uploaded? to true so the test
exercises the account-select scoping path it was written to cover.
* fix(import): scope PDF form to :import so field names match (#2194 ci)
The PDF-import account-select form was `form_with model: import` with
no explicit scope. Because the model is a PdfImport, Rails derived the
param namespace from the class name, so the rendered field was named
`pdf_import[account_id]` — not `import[account_id]`. The
ImportsController#update action accepts either via
`params.dig(:pdf_import, :account_id) || params.dig(:import,
:account_id)` so live submissions still worked, but the regression
test added in 0685bbdf asserted on `select[name="import[account_id]"]`
and matched zero options.
Add `scope: :import` to align the rendered name with both the test
selector and the convention used by the CSV/QIF forms on the upload
page (which all use `scope: :import`).
* feat(mcp): add OAuth well-known discovery endpoints (RFC 8414 + RFC 9728)
Serves /.well-known/oauth-protected-resource (RFC 9728) and
/.well-known/oauth-authorization-server (RFC 8414) so MCP clients
can auto-discover the authorization server. Both endpoints are
unauthenticated and respect APP_URL for reverse-proxy deployments.
* feat(mcp): add dynamic client registration endpoint (RFC 7591)
POST /register creates a public Doorkeeper::Application on demand so
MCP clients (e.g. Claude.ai) can self-register without manual setup.
Validates redirect_uris (including blank entries), falls back to
"MCP Client" name, returns no client_secret (public client, PKCE only).
Rate-limited to 10 registrations/min/IP via Rack::Attack.
* feat(mcp): authenticate via Doorkeeper OAuth2, keep MCP_API_TOKEN as fallback
MCP endpoint now accepts OAuth2 Bearer tokens issued by Doorkeeper.
Falls back to the existing MCP_API_TOKEN env-var flow so self-hosted
deployments are not broken. Requires MCP_OAUTH_ENABLED or MCP_API_TOKEN
to be set — the endpoint returns 503 otherwise.
- OauthBase concern provides APP_URL-aware configured_base_url (trailing
slash stripped to prevent double-slash URLs)
- Bearer scheme parsed case-insensitively (RFC 7235)
- Only read_write scope accepted — read scope would allow mutating tools
(CreateGoal, ImportBankStatement), so read-only tokens are rejected
- Deactivated users rejected even with a valid Doorkeeper token
- WWW-Authenticate header on 401 points to RFC 9728 resource metadata
- SHA-256 digest used for constant-time env-var comparison
- Rack::Attack throttle added for POST /register
- Routes wired: /.well-known/*, /register, use_doorkeeper
* fix(mcp): disable Turbo on OAuth consent form for external redirect URIs
Turbo was intercepting the authorization form POST and XHR-fetching
the redirect_uri (e.g. https://claude.ai/api/mcp/auth_callback),
which CORS blocks. Extend the existing turbo_disabled guard to cover
any redirect_uri that doesn't originate from the app itself.
* feat(mcp): add Settings::McpController with connected clients view
- Settings > MCP page (under Advanced) shows the MCP server URL with
copy button and step-by-step instructions for connecting Claude.ai
- Lists active non-mobile OAuth tokens with app name and revoke action;
mobile device tokens are excluded to prevent accidental disconnection
- Removes the MCP_OAUTH_ENABLED env-var gate — OAuth auth is always
available since Doorkeeper handles consent; MCP_API_TOKEN remains
as a self-hosted fallback
* fix(mcp): remove client_credentials from grant_types_supported metadata
Only authorization_code is supported by the registration endpoint.
Advertising client_credentials was misleading — a client that reads
the metadata and attempts that flow would get an application with the
wrong grant type.
* feat(ds): one canonical focus ring across primitives (#2136)
Replaces the grab-bag of per-primitive focus indicators (neutral
ring-alpha-black/white, outline-gray-900/white, faint form-field ring-4)
with a single recipe — the #1737 accessibility follow-up.
- New --color-focus-ring token: blue-600 (light) / blue-500 (dark),
>=4:1 against both surfaces.
- Canonical .focus-ring / .focus-ring-within in components.css: a 2px
outline + 2px offset on :focus-visible only. Outline (not a box-shadow
ring) so the offset gap is transparent on any surface with no layout
shift; :focus-visible so it never shows for mouse/touch.
- Applied to every focusable DS primitive: Button (had none), Link,
Disclosure summary, Tabs nav, MenuItem (replaces the browser-default
box), SearchInput, Tooltip trigger, Popover trigger, Select panel
(focus-within), Toggle (peer-driven outline-focus-ring). .form-field
adopts it via :focus-within, replacing the ~1:1 ring-4.
- Dialog close button is a DS::Button icon variant, so it inherits the
focus-visible-only ring and keeps no resting border (fixes "stuck ring").
Verified in-browser, light+dark: focus-visible ring on button, input, and
full-width menu row — consistent blue 2px+offset, legible on both surfaces.
Remaining follow-up: >=44px touch targets (disclosure trigger, composer
send); bespoke notification / account-new close buttons that still carry a
permanent border.
* fix(ds): #2136 interactive-state follow-ups — touch target + close-button chrome
- Disclosure default trigger: add min-h-11 (44px) so the standalone disclosure
summary clears the touch-target minimum (was px-3 py-2 ~36px). Composer send +
the coming-soon icons are already DS::Button icon/md (w-11 h-11).
- Notification close buttons (sync_toast, notice): drop the resting
border-alpha-black-50 box ("frame shouts, glyph muted"); keep a bg-container +
shadow-xs chip so the corner control stays visible over the page, and brighten
the muted glyph on hover (text-subdued -> hover:text-primary).
* refactor(ds): focus ring -> neutral hugging box-shadow (was blue outline)
Per design feedback: the blue 2px outline + 2px offset read as a loud,
detached frame on the otherwise-neutral UI. Switch the canonical .focus-ring
to a soft box-shadow ring that hugs the control (follows border-radius, no
gap), in the theme-aware neutral focus-ring token (alpha-black/white-400).
Transparent outline kept as a forced-colors fallback; toggle peer-driver
switched from outline-* to ring-* to match. Still one token, :focus-visible
only. Strength is tunable (currently subtle ~1.5:1).
* fix(ds): focus ring vanished on shadowed controls — outline, not box-shadow
The neutral box-shadow ring lived in the components layer, so any utility-layer
shadow-* (or .form-field's focus-within:shadow-none) on the same element
overrode it and the ring silently disappeared on shadowed buttons/inputs. Draw
the same subtle neutral ring with a hugging `outline` (outline-offset: 0)
instead — a separate property with no box-shadow conflict, and it doubles as the
forced-colors indicator. Toggle peer-driver switched ring-* -> outline-* to
match. Look is unchanged (neutral, hugging, subtle); it just no longer vanishes.
* fix(a11y): enlarge sync-toast close-button touch target (p-0.5 -> p-1.5)
The hover-revealed close button had ~2px padding around a 20px icon (~24px
total), at the WCAG 2.5.8 AAA boundary. p-1.5 brings the interactive area to
~32px. Addresses CodeRabbit review on #2140.
* fix(ds): keep form-field's resting halo; stop the outline color flash
Two testing findings:
- .form-field reverts to its original always-on soft ring
(focus-within ring-4 at low alpha, theme-aware) instead of adopting
the keyboard-only outline. It's a resting decoration, not a focus
indicator, and the lower-opacity halo was the better look. The
canonical block's comment documents the deliberate opt-out.
- .focus-ring/.focus-ring-within now carry a base transparent 2px
outline so consumers with transition-all (form-field had it) animate
transparent -> token on focus instead of passing through
currentColor, which flashed as a black border appearing and then
fading out.
* feat(ds): focus-ring token clears WCAG 3:1 non-text contrast
alpha-black-400 (20%) measured ~1.6:1 against white — visible but below
the AA bar for focus indicators. Bump to the 700 stop (50%): ~3.95:1 on
light containers, ~4.6:1 on dark. Recipe unchanged; one token edit via
tokens:build.
* fix(ds): ring the hand-rolled privacy toggle too
The header pair showed two different focus treatments: panel-right (a
DS::Button) got the new token ring while the hand-rolled privacy
toggle next to it fell back to the browser-default ring — the sweep
covered DS primitives but not bespoke buttons. Both privacy toggles
(mobile + desktop) now carry .focus-ring.
Also documents the transition interplay on the focused-state rule:
consumers with transition-colors fade the ring in over 150ms because
Tailwind v4's color transition list includes outline-color. Verified
settled value at the intended 50% alpha via Playwright.
* fix(ds): ring the sidebar and settings nav links
The reshoot caught both nav species falling back to the browser's blue
default ring — main sidebar items and settings nav items are bespoke
link_to markup the primitive sweep missed, and they're the primary
keyboard path in the app. Both adopt .focus-ring (main nav adds
rounded-lg so the outline follows a shape).
* fix(ds): retire the legacy base-layer button ring for the canonical outline
The @layer base button rule still painted a ring-2 ring-offset-2
box-shadow on :focus-visible. Box-shadow and outline are independent
properties, so .focus-ring (an outline) could never clear it and every
button-tag primitive double-painted both indicators on keyboard focus.
Apply the canonical recipe to the base button rule itself: every
<button> now gets the transparent resting outline + focus-ring token on
:focus-visible by default.
Two bespoke buttons suppressed the outline with focus:outline-none and
relied on the base ring for their keyboard indicator (category dropdown
rows, the sign-up password toggle). Drop the suppression so they pick
up the canonical outline — :focus-visible keeps it keyboard-only, which
is what the suppression was protecting against anyway.
* fix(ds): segmented control adopts the canonical focus recipe
The segment rule inlined its own focus-visible outline (offset 2,
alpha-400 colors) with a comment noting it was temporary until the
canonical token landed — this branch is that token. Drop the inlined
utilities: button segments get the outline from the base button rule,
and link segments now carry .focus-ring.