Skip to content

FIN-19 · Plaid adapter: Link, token exchange, encrypted storage, accounts #796

Description

@lbedner

Milestone: Finance M4 · Depends on: FIN-11 (service+config), FIN-01 (Plaid account).

Goal

The Plaid adapter's connect path: provider protocol + Link token + public_token exchange + ENCRYPTED token storage + accounts fetch. End state: a sandbox institution links end-to-end and its accounts appear in the DB.

Implementation

  1. Dep: plaid-python>=15.0 (pyproject.jinja {%- if include_finance and finance_plaid %} block + pyproject_deps parity).
  2. app/services/finance/providers/base.py — the protocol every provider implements (mirror app/services/payment/providers/base.py's shape — vendor SDK objects NEVER leak past the adapter):
class BaseFinanceProvider(Protocol):
    async def create_link(self, user_ref: str, *, update_connection: FinanceConnection | None = None) -> LinkSession: ...
    async def exchange(self, public_token: str) -> ExchangeResult:  # provider_item_id + access_token (plaintext, encrypt at call site)
    async def fetch_accounts(self, connection: FinanceConnection) -> list[NormalizedAccount]: ...
    async def sync_transactions(self, connection: FinanceConnection) -> SyncResult: ...   # FIN-20
    async def fetch_holdings(self, connection: FinanceConnection) -> HoldingsResult: ...  # FIN-24
    def capabilities(self) -> dict[str, bool]: ...

Normalized dataclasses: NormalizedAccount(provider_account_id, persistent_account_id, name, official_name, mask, type, subtype, currency, current_balance_cents, available_balance_cents, credit_limit_cents, raw). Plaid balances arrive as floats — convert to int cents at the adapter boundary (round(x*100)), nowhere else.
3. providers/plaid.py.jinja (jinja only if it needs finance_plaid internals; otherwise plain .py listed in the flag-gated manifest) — implement create_link (/link/token/create: products from connection intent, redirect_uri from settings, webhook from settings), exchange (/item/public_token/exchange), fetch_accounts (/accounts/get). Env from settings.PLAID_ENV (sandbox|production — there is NO development env).
4. Endpoints:

  • POST /finance/link/token{link_token} (Link opens client-side; sandbox tests can skip the UI — see validation).
  • POST /finance/link/exchange {public_token, institution?} → creates finance_connection (provider='plaid', access_token_encrypted = encrypt_secret(token, context=f"finance_connection:{id}:access_token") — NOTE: insert row first to get the id for AAD context, then update with ciphertext, one transaction) + upserts accounts on uq_finance_account_provider, matching relinks by persistent_account_id before creating new account rows.
  1. providers/manual.py — no-op provider satisfying the protocol (returns empty results), so the service layer can treat every connection uniformly.

Validation (sandbox, no browser needed)

Plaid sandbox lets you mint a public_token server-side: /sandbox/public_token/create with institution_id="ins_109508" (First Platypus Bank), products=["transactions"]. Script or test does: sandbox public_token → POST /finance/link/exchange → assert connection + accounts.

Acceptance criteria

  • Integration test (marked, needs PLAID sandbox keys via env): exchange creates 1 connection + N accounts; token column starts v2:; decrypt round-trips; repr() masks.
  • Balances stored as int cents (assert exact values from sandbox fixture accounts).
  • Re-running exchange for the same item (same provider_item_id) does NOT duplicate the connection (partial-unique) — accounts upsert in place.
  • finance_plaid=false generated project: no plaid dep, no plaid provider file, /finance/link/token → 404 or clear "provider not enabled" 400 (pick one, document it).
  • make check green.

Shared context (read this first — identical in every FIN ticket)

What we're building: a Finance Service for aegis-stack — a personal-finance aggregator (Empower/Quicken class: linked bank/credit/brokerage accounts, Quicken/OFX/CSV import, net-worth-over-time, "wasting money" insights). It is a gated template service like payment/insights: a new include_finance copier flag + a SERVICES["finance"] registry entry. Nothing is bolted into any one generated project.

Authoritative design docs (in this repo):

  • docs/plans/finance-service/finance-service-plan.md — the full plan.
  • docs/plans/finance-service/finance-schema-canonical.md — THE schema: 33 tables, every column/FK/index/unique/check, dedup contract, ER diagram. Schema tickets inline their slice, but this file is the tiebreaker.
  • docs/plans/finance-service/finance-research/ — Plaid/OFX/product research briefs.

The two parallel systems (keep them in sync — this is the #1 thing to understand):

  1. Copier templateaegis/templates/copier-aegis-project/{{ project_slug }}/…. Gating = literal {% if include_finance %} blocks in .jinja files + questions in copier.yml (repo root).
  2. Python registryaegis/core/services.py → the SERVICES dict. Single source of truth for: post-gen file pruning (aegis/core/post_gen_tasks.py:139-146 removes every path in a spec's FileManifest.primary when its flag is off), aegis add-service, migrations, aegis update disk-detection (marker_path), and aegis init service listing. Copy the payment spec (services.py:677-763) as the reference.

Migrations are GENERATED, not hand-written. Table definitions live as declarative specs in aegis/core/migration_generator.py: TableSpec / ColumnSpec / IndexSpec(name, columns, unique, where=…) (a where= renders BOTH sqlite_where and postgresql_where — partial uniques work on both engines) / ForeignKeySpec(columns, ref_table, ref_columns, ondelete=…, ref_schema=…) / CheckConstraintSpec(name, sqltext) / AlterTableSpec (for circular FKs; runs in one op.batch_alter_table, SQLite-safe). Revision IDs are auto-assigned at generation time (get_next_revision_id, max+1 zero-padded) — NEVER hardcode a revision number. Which migrations generate is decided by get_services_needing_migrations(context) (migration_generator.py:~1771) — finance gets a block there mirroring payment's (:~1839).

Generated-project conventions (non-negotiable, from the schema doc §conventions):

  • int autoincrement PKs (id: int | None = Field(default=None, primary_key=True)) — NO UUIDs.
  • Money = int minor units (cents) + a currency code column. NO Decimal/Numeric/float. Fractional share quantities = quantity_e8 (int, ×1e8); prices = int + price_scale; FX = rate_e8.
  • Timestamps = naive UTC via a utcnow_naive() helper (datetime.now(UTC).replace(tzinfo=None)).
  • Enums we own = String column + CheckConstraint (never native PG enum). Provider taxonomies that grow (Plaid account subtype, PFC categories, security_type) = plain TEXT, no check.
  • JSON via sa_column=Column("name", JSON); the attr metadata_ maps to DB column "metadata" (SQLModel reserves metadata).
  • Every user-scoped row: owner_user_id FK → user.id (CASCADE, indexed) + nullable organization_id (SET NULL, indexed). These FKs target the auth service's tables — finance declares required_services=["auth"]. Cross-schema FK precedent: payment.payment_customer → auth.user uses ForeignKeySpec(..., ref_schema="auth").
  • Every FK indexed. ONE documented exception: currency FKs (low-cardinality) stay unindexed, ON DELETE RESTRICT.
  • All finance tables are finance_-prefixed; explicit __tablename__; index names ix_…, uniques uq_…, checks ck_….
  • Services: class FinanceService: def __init__(self, db: AsyncSession); queries via sqlmodel.select + await self.db.exec(…); writes self.db.add(…) + await self.db.flush() — services NEVER commit (the request-scoped get_async_db dependency commits).
  • Dedup = real UNIQUE constraints + dialect-dispatched idempotent UPSERT (sqlite.insert(...).on_conflict_do_update(...) vs postgresql.insert(...) — pick by db.bind.dialect.name).

Dev workflow / how to validate (all from the aegis-stack repo root):

make check                 # repo's own lint + typecheck + tests — must stay green
make test-template         # generate a project from the template + validate it
make test-stacks-quick     # 3 representative stacks: base, everything, insights
make clean-test-projects   # remove generated test projects

# Generate a throwaway project from your UNCOMMITTED working tree:
uv run aegis init fin-smoke --dev --no-interactive -y \
  -o /tmp/aegis-fin-test \
  -c database,scheduler -s auth,finance
# (…and a second one WITHOUT `finance` in -s to prove pruning.)

Generated-project checks (run inside the generated project): make test, make lint, boot the app, hit endpoints with curl.

Postgres matters: the template supports sqlite AND postgres. FK enforcement, partial-unique behavior, and ON CONFLICT semantics must be validated against postgres too (generate with a postgres database answer, or run the migration against a local postgres). SQLite test sessions don't enforce FKs — don't trust green sqlite tests for constraint behavior.

Ticket codes: FIN-01…FIN-27. Dependencies are cited by code. Do not start a ticket whose dependencies aren't merged.

Metadata

Metadata

Assignees

No one assigned

    Labels

    financeFinance aggregator service (include_finance)

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions