Finman overhaul: money integrity, AI CFO, real OCR, FX net worth, bank sync, deploy, 137 tests#2
Finman overhaul: money integrity, AI CFO, real OCR, FX net worth, bank sync, deploy, 137 tests#2ctmakc wants to merge 2 commits into
Conversation
- lib/money, lib/respond, lib/logger, lib/validateEnv, lib/ai/provider - middleware/error (AppError+errorHandler+notFound), authorize, requireTier - lib/migrate + migrations/ (subscription_tier, stripe ids, ai_conversations, ai_messages) - routes/health (+ready); stub routers ai/billing/sync/anomalies - server.js: pino-http, validateEnv, new mounts, SPA skips /api/*, notFound+errorHandler, exports app - test harness (jest.config, test/helpers/app, test/foundation.test) — 11 tests green - index.html: i18n.js + ai.js script hooks Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…, real OCR, bank sync scheduler, forecast/anomaly, i18n/a11y, deploy, billing Integrator pass: wire feature streams together, fix cross-cutting bugs, all 137 tests green. Fixes applied during integration: - test/helpers/app.js: call jest.resetModules() in makeApp() so multi-makeApp test files get a fresh DB module instead of a closed sqlite handle (was SQLITE_MISUSE: Database is closed across billing/ai/money/networth/sync suites). - models/transaction.js: rename local SQL-builder var `query` -> `sql` in findByUserId and the stats aggregator; the local var shadowed the imported db `query()` function, causing "query is not a function" 500s on GET /api/transactions. - test/split.test.js: correct the settlement zero-convergence assertion to balance - net (creditor's positive balance is cleared by receiving), matching the model's documented sign convention and the test's own net[] assertions. - server.js: mount express.raw on /api/billing/webhook before express.json (Stripe signature needs the raw body); start the bank sync scheduler at boot only when SYNC_ENABLED (inside require.main === module, so tests never auto-start it). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3712c36e9c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| } else { | ||
| // Без секрета — только в dev: доверяем телу как есть. | ||
| try { | ||
| event = typeof rawBody === 'string' ? JSON.parse(rawBody) : JSON.parse(rawBody.toString('utf8')); |
There was a problem hiding this comment.
When STRIPE_SECRET_KEY is configured but STRIPE_WEBHOOK_SECRET is left unset, this public webhook path accepts unsigned JSON and still processes checkout.session.completed / subscription events that call applyTier. Because resolveUserId trusts event metadata/customer data, an attacker can POST a fabricated event to /api/billing/webhook and upgrade arbitrary users to pro/family; treat a missing webhook secret as disabled/error outside an explicit local dev/test mode.
Useful? React with 👍 / 👎.
| const expense = Number(r.expense) || 0; | ||
| return { | ||
| t: dayIndex, | ||
| net: income - expense, |
There was a problem hiding this comment.
For users with at least 5 history days, the new seasonal model uses this net value, but expense transactions are stored as negative amounts in the app, so income - expense adds spending to income. A day with 100 income and -40 expense is modeled as +140 net instead of +60, making projected balances and confidence bands overly optimistic; convert expense rows to positive spend with ABS/-SUM(amount) or add the signed expense directly.
Useful? React with 👍 / 👎.
1 participant
Finman overhaul — make it real, honest, tested & deployable
Implements the multi-agent audit roadmap. Additive — no existing feature removed;
main-era functionality preserved.Foundation
lib/money.js(decimal-safe),lib/respond.js,lib/logger.js(pino),lib/validateEnv.js,lib/ai/provider.js(provider-agnostic: anthropic/openai/ollama, env-gated)AppError+errorHandler+notFound,requireOwnership,requireTierlib/migrate.js+migrations/) +schema_migrationsserver.jswired additively; unknown/api/*now hits 404 instead of being swallowed by the SPA catch-allFixes & features
Split.getExpenses(500 on every call) + cent-exact settlement mathGET /api/transactions(queryvar shadowed the db helper)lib/moneyrounding across core models; debt-overpay rejection; investment P&L includes fees/api/ai/*, grounded in the user's own data,requireTier('pro'), graceful 503 without key)SYNC_ENABLED)data/volume) + GitHub Actions CI + READMEStatus
AI_API_KEY), Stripe (STRIPE_SECRET_KEY), live bank sync (SYNC_ENABLED+ tokens)JWT_SECRET/SESSION_SECRET/ENCRYPTION_KEY🤖 Generated with Claude Code