You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: IMPLEMENTATION_PLAN.md
+5Lines changed: 5 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,6 +41,7 @@ The Ray OpenRay documents are especially important. They define the product lang
41
41
- A **Sync** updates local data only.
42
42
- Read commands must not require AI keys or provider credentials.
43
43
- Provider commands require provider credentials and should fail explicitly when missing.
44
+
- Plaid Dashboard login may bootstrap local Plaid API credentials, but it remains a Plaid-specific setup convenience: it writes the same Provider credential contract as manual configuration, stores Dashboard auth beside the resolved config, and keeps manual `money providers configure plaid` as the supported fallback if Dashboard contracts reject or drift.
44
45
45
46
When command, data model, or Provider behavior can be answered by donor code, prefer donor evidence before asking product questions. Use Ray Finance as the primary engineering donor for local data model decisions, Provider sync, Plaid/Bridge flow, encrypted local storage behavior, imports, local annotations, and query fields. Use `monarchmoney-cli` for command naming habits, JSON envelopes, stdout/stderr behavior, exit codes, safety gates, and agent-facing ergonomics. If Ray lacks a feature, do not invent a first-version stable contract from Monarch alone; defer it unless it is required by `money`'s goals. Ask only when donor behavior conflicts with `money` boundaries or a real product trade-off remains.
Copy file name to clipboardExpand all lines: docs/ARCHITECTURE.md
+5-1Lines changed: 5 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -161,13 +161,17 @@ When an alternate config path is selected, its default env companion is `.env` i
161
161
162
162
Provider secret names should follow the provider's common official vocabulary. For Plaid, use `PLAID_CLIENT_ID`, `PLAID_SECRET`, `PLAID_ENV`, `PLAID_PRODUCTS`, `PLAID_COUNTRY_CODES`, and `PLAID_REDIRECT_URI`. For Bridge, use `BRIDGE_CLIENT_ID` and `BRIDGE_CLIENT_SECRET`. For MX, use `MX_CLIENT_ID` and `MX_API_KEY`. For Finicity, use `FINICITY_APP_KEY`, `FINICITY_PARTNER_ID`, and `FINICITY_PARTNER_SECRET`.
163
163
164
+
Plaid Dashboard login is a Plaid-specific credential bootstrap flow, not a generic Provider interface. `money plaid login` and `money providers plaid login` use the Plaid CLI-compatible Dashboard OAuth path to fetch API keys, then write only `PLAID_CLIENT_ID` and the selected environment's `PLAID_SECRET` through the normal Provider config writer. Dashboard OAuth tokens are stored separately as `plaid-dashboard-auth.json` beside the resolved config file with the same local-user file security expectations as `.env`. If Plaid rejects or changes the private Dashboard contract, the command fails explicitly and tells the user to configure Plaid manually; it must not try alternate private clients, scraping, or hidden fallback behavior.
165
+
164
166
Plaid defaults to the `transactions` product. Additional products such as `investments` and `liabilities` require explicit configuration and should not expand stable read contracts until their local data model is ready. Recurring transaction streams should be synced when the configured Provider returns them; otherwise `recurring.list` returns an empty local result with a normal success envelope.
165
167
166
168
Bridge link creates or reuses a Bridge external user ID without creating a `money` user account. By default `money` generates and stores the external user ID in Provider Item state during link. Advanced commands may accept an existing external user ID for reconnect or migration cases.
167
169
168
170
Provider link flows may use a short-lived localhost callback helper when required by the Provider, such as Plaid Link. This helper is not a required persistent server, local API, daemon, or background service. It should bind only for the active link session, use a random state value, shut down after completion or timeout, and fail explicitly when the callback cannot be started. Interactive link commands should follow GitHub CLI's browser flow: print the authorization URL and wait for the user to press Enter before opening the browser. If the user does not press Enter, nothing is opened and the printed URL remains usable for manual/headless handling. `--no-open` suppresses browser opening for SSH, cron, and headless environments while still printing the URL.
169
171
170
-
Plaid Link in CLI mode is implemented as a short-lived local Link page, not as a raw Plaid redirect URL. The command creates a Plaid `link_token`, starts a localhost callback/page server, prints the local URL, waits for Enter, then opens that local URL unless `--no-open` is set. The page loads Plaid Link from Plaid's CDN with the `link_token`; on `onSuccess`, it posts the `public_token`, Plaid institution metadata, selected account metadata, and random state back to the localhost helper. The CLI validates state, exchanges the `public_token` for an access token, stores only the encrypted access token and mapped metadata, then shuts down the helper. The helper must not expose general API endpoints or serve real financial data.
172
+
Plaid Link in CLI mode is implemented as a short-lived local Link page, not as a raw Plaid redirect URL. The command creates a Plaid `link_token`, starts a localhost callback/page server, prints the local URL, waits for Enter, then opens that local URL unless `--no-open` is set. The page loads Plaid Link from Plaid's CDN with the `link_token`; on `onSuccess`, it posts a `success` callback containing the `public_token`, Plaid institution metadata, selected account metadata, and random state back to the localhost helper. On `onExit`, it posts either a `cancel` callback or an `error` callback with Plaid's error type/code/message plus request and link-session metadata when available. The CLI validates state and same-host origin, exchanges only success callbacks for access tokens, stores only the encrypted access token and mapped metadata, then shuts down the helper. Cancel and Link error callbacks do not exchange a token. The helper must not expose general API endpoints or serve real financial data.
173
+
174
+
Plaid Link consent product options are explicit configuration/flag inputs. `products` remains the initial product set. `additional_consented_products`, `required_if_supported_products`, and `optional_products` may be configured or passed to Plaid link commands to shape consent without expanding local stable read contracts. Unsupported Plaid product names fail validation before calling Plaid.
171
175
172
176
Bridge link uses the same browser ergonomics but does not pretend to be Plaid Link. The Bridge adapter creates a connect session, prints the connect URL, waits for Enter before opening unless `--no-open` is set, then polls or checks provider item state according to Bridge's API. If Bridge institution discovery is unavailable in the first adapter, `money link` omits Bridge from institution-first choices and `money providers bridge link` remains the supported path.
Copy file name to clipboardExpand all lines: docs/CONFIG.md
+6-1Lines changed: 6 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,6 +21,9 @@ providers:
21
21
environment: sandbox
22
22
products: [transactions]
23
23
country_codes: [US]
24
+
additional_consented_products: [investments]
25
+
required_if_supported_products: [liabilities]
26
+
optional_products: [auth]
24
27
redirect_uri:
25
28
env: PLAID_REDIRECT_URI
26
29
bridge:
@@ -30,7 +33,7 @@ providers:
30
33
env: BRIDGE_CLIENT_SECRET
31
34
```
32
35
33
-
Direct scalar values are allowed only for non-secrets such as `database.path`, `providers.plaid.environment`, `products`, and `country_codes`. Direct scalar secrets are accepted for manually edited files, but config loading emits a structured warning recommending `.env` references.
36
+
Direct scalar values are allowed only for non-secrets such as `database.path`, `providers.plaid.environment`, `products`, `country_codes`, and Plaid Link consent product lists. Direct scalar secrets are accepted for manually edited files, but config loading emits a structured warning recommending `.env` references.
34
37
35
38
## Path Resolution
36
39
@@ -60,6 +63,8 @@ Profile names must be alphanumeric, hyphen, or underscore only; path traversal c
60
63
61
64
Environment variables complete explicit references; they do not form a magic override chain. For example, `PLAID_SECRET` is used only when config says `secret: { env: PLAID_SECRET }` or a setup/configure command writes that reference.
62
65
66
+
Plaid Dashboard OAuth bootstrap state is stored outside YAML at `plaid-dashboard-auth.json` beside the resolved config file. It is local bootstrap state for `money plaid login`, written `0600`, and may include Dashboard access/refresh tokens plus selected `team_id` and `client_id`. Provider API credentials still use the normal `.env` plus YAML `env:` references model.
Copy file name to clipboardExpand all lines: docs/CONTRACTS.md
+67Lines changed: 67 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -152,19 +152,39 @@ Provider errors are classified as:
152
152
153
153
Reconnect-required provider states are machine-readable through item status or classified provider errors. Removed provider transactions are soft-deleted: normal reads exclude them, `--removed include|only` can show them, and permanent purge is reserved for an explicit confirmed cleanup command.
money providers plaid link --optional-products auth --additional-consented-products investments
187
+
money plaid sandbox link --products transactions --institution-id ins_56
168
188
169
189
# Read synced data
170
190
money investments holdings --json
@@ -174,6 +194,21 @@ money items list --json
174
194
money items rename <id>"My Bank" --json
175
195
```
176
196
197
+
## Link Commands
198
+
199
+
Plaid link commands are human-mode browser flows. JSON mode is rejected for live Link because completion depends on a local callback.
200
+
201
+
`money link <institution-query>` and `money providers plaid link` support:
202
+
203
+
-`--no-open`
204
+
-`--additional-consented-products`
205
+
-`--required-if-supported-products`
206
+
-`--optional-products`
207
+
208
+
The three consent flags accept comma-separated Plaid product names and are validated before Plaid is called. `products` remains the configured initial product set. Canceling Plaid Link exits without exchanging a public token or writing a Provider Item. Plaid Link errors preserve Plaid error type/code/message plus request and link session metadata internally for diagnostics.
209
+
210
+
`money plaid sandbox link` creates a Plaid Sandbox public token, exchanges it through the same Provider Item persistence path as browser Link, and stores the linked item in the encrypted local store. It only runs when `providers.plaid.environment` is `sandbox`. `balance` is rejected as an initial product instead of being remapped.
These commands never include Plaid API secrets, Dashboard OAuth tokens, masked secrets, or reversible previews.
308
+
242
309
## Monarch Compatibility Notes
243
310
244
311
The command names and stdout/stderr discipline follow Monarch CLI habits where useful. `money` differs by using object-wrapped collection fields, multi-error envelopes, explicit source provenance, encrypted local storage, and BYOK Provider adapters.
0 commit comments