feat: Device trust management & recognition (closes #125)

packages/backend/app/models.py

@@ -133,3 +133,32 @@ class AuditLog(db.Model):
     user_id = db.Column(db.Integer, db.ForeignKey("users.id"), nullable=True)
     action = db.Column(db.String(100), nullable=False)
     created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
+
+
+class CategorizationRule(db.Model):
+    __tablename__ = "categorization_rules"
+    id = db.Column(db.Integer, primary_key=True)
+    user_id = db.Column(db.Integer, db.ForeignKey("users.id"), nullable=False)
+    keyword = db.Column(db.String(200), nullable=False)
+    category_name = db.Column(db.String(100), nullable=False)
+    confidence = db.Column(db.Float, default=0.80, nullable=False)
+    source = db.Column(db.String(20), default="learned", nullable=False)
+    created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
+    updated_at = db.Column(
+        db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False
+    )
+from datetime import datetime
+from .extensions import db
+
+
+class TrustedDevice(db.Model):
+    __tablename__ = "trusted_devices"
+    id = db.Column(db.Integer, primary_key=True)
+    user_id = db.Column(db.Integer, db.ForeignKey("users.id"), nullable=False)
+    device_name = db.Column(db.String(200), nullable=False)
+    device_fingerprint = db.Column(db.String(64), nullable=False, unique=False)
+    user_agent = db.Column(db.String(500), nullable=True)
+    ip_address = db.Column(db.String(45), nullable=True)
+    trusted = db.Column(db.Boolean, default=True, nullable=False)
+    last_seen_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)
+    created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False)

packages/backend/app/routes/__init__.py

@@ -7,6 +7,8 @@
 from .categories import bp as categories_bp
 from .docs import bp as docs_bp
 from .dashboard import bp as dashboard_bp
+from .categorize import bp as categorize_bp
+from .devices import bp as devices_bp
 
 
 def register_routes(app: Flask):
@@ -18,3 +20,5 @@ def register_routes(app: Flask):
     app.register_blueprint(categories_bp, url_prefix="/categories")
     app.register_blueprint(docs_bp, url_prefix="/docs")
     app.register_blueprint(dashboard_bp, url_prefix="/dashboard")
+    app.register_blueprint(categorize_bp, url_prefix="/categorize")
+    app.register_blueprint(devices_bp, url_prefix="/devices")

packages/backend/app/routes/categorize.py

@@ -0,0 +1,112 @@
+import logging
+
+from flask import Blueprint, jsonify, request
+from flask_jwt_extended import jwt_required, get_jwt_identity
+
+from ..services.categorization import (
+    categorize_transaction,
+    learn_from_correction,
+    batch_categorize,
+)
+
+bp = Blueprint("categorize", __name__)
+logger = logging.getLogger("finmind.categorize")
+
+
+@bp.post("")
+@jwt_required()
+def categorize():
+    """Categorize a single transaction by description."""
+    uid = int(get_jwt_identity())
+    data = request.get_json() or {}
+    description = (data.get("description") or "").strip()
+    if not description:
+        return jsonify(error="description required"), 400
+    category_id = data.get("category_id")
+    result = categorize_transaction(
+        description=description,
+        existing_category_id=category_id,
+        user_id=uid,
+    )
+    logger.info("Categorized user=%s desc=%s result=%s", uid, description[:50], result.get("category"))
+    return jsonify(result)
+
+
+@bp.post("/batch")
+@jwt_required()
+def categorize_batch():
+    """Categorize multiple transactions at once."""
+    uid = int(get_jwt_identity())
+    data = request.get_json() or {}
+    transactions = data.get("transactions")
+    if not isinstance(transactions, list) or not transactions:
+        return jsonify(error="transactions list required"), 400
+    if len(transactions) > 100:
+        return jsonify(error="maximum 100 transactions per batch"), 400
+    results = batch_categorize(transactions, user_id=uid)
+    logger.info("Batch categorized user=%s count=%s", uid, len(results))
+    return jsonify(results=results, count=len(results))
+
+
+@bp.post("/learn")
+@jwt_required()
+def learn():
+    """Learn from a user's manual categorization correction."""
+    uid = int(get_jwt_identity())
+    data = request.get_json() or {}
+    description = (data.get("description") or "").strip()
+    category = (data.get("category") or "").strip()
+    if not description:
+        return jsonify(error="description required"), 400
+    if not category:
+        return jsonify(error="category required"), 400
+    result = learn_from_correction(
+        description=description,
+        correct_category=category,
+        user_id=uid,
+    )
+    logger.info("Learned user=%s cat=%s keywords=%s", uid, category, result.get("learned_count", 0))
+    return jsonify(result)
+
+
+@bp.get("/rules")
+@jwt_required()
+def list_rules():
+    """List learned categorization rules for the current user."""
+    uid = int(get_jwt_identity())
+    from ..models import CategorizationRule as RuleModel
+    from ..extensions import db
+
+    rules = (
+        db.session.query(RuleModel)
+        .filter_by(user_id=uid)
+        .order_by(RuleModel.confidence.desc())
+        .all()
+    )
+    return jsonify([
+        {
+            "id": r.id,
+            "keyword": r.keyword,
+            "category": r.category_name,
+            "confidence": round(r.confidence, 2),
+            "source": r.source,
+        }
+        for r in rules
+    ])
+
+
+@bp.delete("/rules/<int:rule_id>")
+@jwt_required()
+def delete_rule(rule_id: int):
+    """Delete a learned categorization rule."""
+    uid = int(get_jwt_identity())
+    from ..models import CategorizationRule as RuleModel
+    from ..extensions import db
+
+    rule = db.session.get(RuleModel, rule_id)
+    if not rule or rule.user_id != uid:
+        return jsonify(error="not found"), 404
+    db.session.delete(rule)
+    db.session.commit()
+    logger.info("Deleted rule id=%s user=%s", rule_id, uid)
+    return jsonify(message="deleted")

packages/backend/app/routes/devices.py

@@ -0,0 +1,120 @@
+from flask import Blueprint, request, jsonify
+from flask_jwt_extended import jwt_required, get_jwt_identity
+from ..extensions import db
+from ..models import TrustedDevice
+import hashlib
+import logging
+
+bp = Blueprint("devices", __name__)
+logger = logging.getLogger("finmind.devices")
+
+
+def _make_fingerprint(user_agent: str, ip: str) -> str:
+    raw = f"{user_agent}|{ip}"
+    return hashlib.sha256(raw.encode()).hexdigest()
+
+
+@bp.get("/")
+@jwt_required()
+def list_devices():
+    uid = int(get_jwt_identity())
+    devices = (
+        db.session.query(TrustedDevice)
+        .filter_by(user_id=uid)
+        .order_by(TrustedDevice.last_seen_at.desc())
+        .all()
+    )
+    return jsonify(
+        [
+            {
+                "id": d.id,
+                "device_name": d.device_name,
+                "trusted": d.trusted,
+                "user_agent": d.user_agent,
+                "ip_address": d.ip_address,
+                "last_seen_at": d.last_seen_at.isoformat() + "Z",
+                "created_at": d.created_at.isoformat() + "Z",
+            }
+            for d in devices
+        ]
+    )
+
+
+@bp.post("/")
+@jwt_required()
+def trust_device():
+    uid = int(get_jwt_identity())
+    data = request.get_json() or {}
+    device_name = (data.get("device_name") or "").strip()
+    if not device_name:
+        return jsonify(error="device_name is required"), 400
+
+    user_agent = request.headers.get("User-Agent", "")
+    ip = request.remote_addr or ""
+    fingerprint = _make_fingerprint(user_agent, ip)
+
+    existing = (
+        db.session.query(TrustedDevice)
+        .filter_by(user_id=uid, device_fingerprint=fingerprint)
+        .first()
+    )
+    if existing:
+        existing.trusted = True
+        existing.device_name = device_name
+        existing.last_seen_at = db.func.now()
+        db.session.commit()
+        logger.info("Re-trusted device id=%s for user_id=%s", existing.id, uid)
+        return jsonify(
+            id=existing.id,
+            device_name=existing.device_name,
+            trusted=existing.trusted,
+            message="device re-trusted",
+        ), 200
+
+    device = TrustedDevice(
+        user_id=uid,
+        device_name=device_name,
+        device_fingerprint=fingerprint,
+        user_agent=user_agent,
+        ip_address=ip,
+        trusted=True,
+    )
+    db.session.add(device)
+    db.session.commit()
+    logger.info("Trusted new device id=%s for user_id=%s", device.id, uid)
+    return jsonify(
+        id=device.id,
+        device_name=device.device_name,
+        trusted=device.trusted,
+        message="device trusted",
+    ), 201
+
+
+@bp.delete("/<int:device_id>")
+@jwt_required()
+def revoke_device(device_id: int):
+    uid = int(get_jwt_identity())
+    device = db.session.get(TrustedDevice, device_id)
+    if not device or device.user_id != uid:
+        return jsonify(error="device not found"), 404
+    device.trusted = False
+    db.session.commit()
+    logger.info("Revoked device id=%s for user_id=%s", device_id, uid)
+    return jsonify(message="device revoked", id=device.id, trusted=False), 200
+
+
+@bp.patch("/<int:device_id>")
+@jwt_required()
+def rename_device(device_id: int):
+    uid = int(get_jwt_identity())
+    device = db.session.get(TrustedDevice, device_id)
+    if not device or device.user_id != uid:
+        return jsonify(error="device not found"), 404
+    data = request.get_json() or {}
+    new_name = (data.get("device_name") or "").strip()
+    if not new_name:
+        return jsonify(error="device_name is required"), 400
+    device.device_name = new_name
+    db.session.commit()
+    logger.info("Renamed device id=%s to '%s' for user_id=%s", device_id, new_name, uid)
+    return jsonify(id=device.id, device_name=device.device_name, trusted=device.trusted), 200