Skip to content

FIN-21 · Plaid webhooks + connection health + relink/disconnect #798

Description

@lbedner

Milestone: Finance M4 · Depends on: FIN-20.

Goal

Webhooks + connection health: Plaid tells us when to sync and when the user must re-login; the UI chip reflects it.

Implementation

  1. POST /api/v1/finance/webhooks/plaid — UNAUTHENTICATED route (Plaid calls it) with Plaid's JWT verification (plaid-python verification helper / /webhook_verification_key/get; mirror how the Stripe provider verifies construct_event — never process unverified). Log EVERY delivery to finance_webhook_event first (idempotent on uq_finance_webhook_event), then dispatch:
    • TRANSACTIONS / SYNC_UPDATES_AVAILABLE → trigger the FIN-20 sync for that item_id (inline task; dedupe concurrent syncs per connection with a simple DB/redis flag).
    • ITEM / ERROR (ITEM_LOGIN_REQUIRED) → status='login_required', needs_user_action=true, last_error_code.
    • ITEM / PENDING_EXPIRATIONstatus='pending_expiration', needs_user_action=true, store consent_expiration_time.
    • ITEM / USER_PERMISSION_REVOKEDstatus='revoked', needs_user_action=true.
    • Anything else → status='ignored' on the event row (still logged).
  2. Update mode (re-auth): POST /finance/connections/{id}/relinkcreate_link(update_connection=…) (link_token from the EXISTING access_token). On successful re-link, clear needs_user_action, status='healthy'. The access_token does NOT change in update mode.
  3. Disconnect: DELETE /finance/connections/{id} → call /item/remove (stops Plaid's per-item billing), then soft-delete connection (removed_at + deleted_at). Accounts/transactions RETAIN (per plan's retention default).
  4. Health rollup: FIN-11's /finance/health now reports worst connection status + needs_user_action count; FIN-18's card chip turns amber when any connection needs action.

Validation (sandbox)

/sandbox/item/fire_webhook fires DEFAULT_UPDATE/SYNC_UPDATES_AVAILABLE; /sandbox/item/reset_login forces ITEM_LOGIN_REQUIRED on next sync.

Acceptance criteria

  • Fired sandbox webhook → event row logged + sync ran (new txns appear without manual trigger). Redelivered same webhook → second event row is a no-op (idempotency key).
  • reset_login → next sync/webhook flips needs_user_action=true; /finance/health reflects it; card chip amber (manual UI check).
  • Relink flow clears the flag (sandbox update-mode link).
  • Unverified/bad-signature webhook → 401, nothing processed, event NOT dispatched.
  • DELETE connection → /item/remove called (assert via mock in unit test), rows soft-deleted, history retained.

Shared context (read this first — identical in every FIN ticket)

What we're building: a Finance Service for aegis-stack — a personal-finance aggregator (Empower/Quicken class: linked bank/credit/brokerage accounts, Quicken/OFX/CSV import, net-worth-over-time, "wasting money" insights). It is a gated template service like payment/insights: a new include_finance copier flag + a SERVICES["finance"] registry entry. Nothing is bolted into any one generated project.

Authoritative design docs (in this repo):

  • docs/plans/finance-service/finance-service-plan.md — the full plan.
  • docs/plans/finance-service/finance-schema-canonical.md — THE schema: 33 tables, every column/FK/index/unique/check, dedup contract, ER diagram. Schema tickets inline their slice, but this file is the tiebreaker.
  • docs/plans/finance-service/finance-research/ — Plaid/OFX/product research briefs.

The two parallel systems (keep them in sync — this is the #1 thing to understand):

  1. Copier templateaegis/templates/copier-aegis-project/{{ project_slug }}/…. Gating = literal {% if include_finance %} blocks in .jinja files + questions in copier.yml (repo root).
  2. Python registryaegis/core/services.py → the SERVICES dict. Single source of truth for: post-gen file pruning (aegis/core/post_gen_tasks.py:139-146 removes every path in a spec's FileManifest.primary when its flag is off), aegis add-service, migrations, aegis update disk-detection (marker_path), and aegis init service listing. Copy the payment spec (services.py:677-763) as the reference.

Migrations are GENERATED, not hand-written. Table definitions live as declarative specs in aegis/core/migration_generator.py: TableSpec / ColumnSpec / IndexSpec(name, columns, unique, where=…) (a where= renders BOTH sqlite_where and postgresql_where — partial uniques work on both engines) / ForeignKeySpec(columns, ref_table, ref_columns, ondelete=…, ref_schema=…) / CheckConstraintSpec(name, sqltext) / AlterTableSpec (for circular FKs; runs in one op.batch_alter_table, SQLite-safe). Revision IDs are auto-assigned at generation time (get_next_revision_id, max+1 zero-padded) — NEVER hardcode a revision number. Which migrations generate is decided by get_services_needing_migrations(context) (migration_generator.py:~1771) — finance gets a block there mirroring payment's (:~1839).

Generated-project conventions (non-negotiable, from the schema doc §conventions):

  • int autoincrement PKs (id: int | None = Field(default=None, primary_key=True)) — NO UUIDs.
  • Money = int minor units (cents) + a currency code column. NO Decimal/Numeric/float. Fractional share quantities = quantity_e8 (int, ×1e8); prices = int + price_scale; FX = rate_e8.
  • Timestamps = naive UTC via a utcnow_naive() helper (datetime.now(UTC).replace(tzinfo=None)).
  • Enums we own = String column + CheckConstraint (never native PG enum). Provider taxonomies that grow (Plaid account subtype, PFC categories, security_type) = plain TEXT, no check.
  • JSON via sa_column=Column("name", JSON); the attr metadata_ maps to DB column "metadata" (SQLModel reserves metadata).
  • Every user-scoped row: owner_user_id FK → user.id (CASCADE, indexed) + nullable organization_id (SET NULL, indexed). These FKs target the auth service's tables — finance declares required_services=["auth"]. Cross-schema FK precedent: payment.payment_customer → auth.user uses ForeignKeySpec(..., ref_schema="auth").
  • Every FK indexed. ONE documented exception: currency FKs (low-cardinality) stay unindexed, ON DELETE RESTRICT.
  • All finance tables are finance_-prefixed; explicit __tablename__; index names ix_…, uniques uq_…, checks ck_….
  • Services: class FinanceService: def __init__(self, db: AsyncSession); queries via sqlmodel.select + await self.db.exec(…); writes self.db.add(…) + await self.db.flush() — services NEVER commit (the request-scoped get_async_db dependency commits).
  • Dedup = real UNIQUE constraints + dialect-dispatched idempotent UPSERT (sqlite.insert(...).on_conflict_do_update(...) vs postgresql.insert(...) — pick by db.bind.dialect.name).

Dev workflow / how to validate (all from the aegis-stack repo root):

make check                 # repo's own lint + typecheck + tests — must stay green
make test-template         # generate a project from the template + validate it
make test-stacks-quick     # 3 representative stacks: base, everything, insights
make clean-test-projects   # remove generated test projects

# Generate a throwaway project from your UNCOMMITTED working tree:
uv run aegis init fin-smoke --dev --no-interactive -y \
  -o /tmp/aegis-fin-test \
  -c database,scheduler -s auth,finance
# (…and a second one WITHOUT `finance` in -s to prove pruning.)

Generated-project checks (run inside the generated project): make test, make lint, boot the app, hit endpoints with curl.

Postgres matters: the template supports sqlite AND postgres. FK enforcement, partial-unique behavior, and ON CONFLICT semantics must be validated against postgres too (generate with a postgres database answer, or run the migration against a local postgres). SQLite test sessions don't enforce FKs — don't trust green sqlite tests for constraint behavior.

Ticket codes: FIN-01…FIN-27. Dependencies are cited by code. Do not start a ticket whose dependencies aren't merged.

Metadata

Metadata

Assignees

No one assigned

    Labels

    financeFinance aggregator service (include_finance)

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions