v2.0.0 — Analytics, AI, Phase 11

Slowbooks Pro 2026 — v2.0.0

A major release rolling up Phases 9, 10, and 11 plus a community walkthrough that closed the remaining UI gaps. Slowbooks now has analytics, AI insights, perpetual inventory, drill-down reports, fuzzy duplicate detection, and saved reports — all wired through the SPA.

First major release since v1.1.0 (April 2026). Long PR window, big surface, audited and verified.

---

✨ Headline features

Analytics dashboard (#/analytics)

• 4 KPI cards (Revenue, Expenses, DSO, Margin %)
• 4 interactive Chart.js visualizations: 12-month revenue line, expenses doughnut, A/R+A/P stacked bar, 90-day cash forecast
• Period selector — MTD / QTD / YTD with persistent state
• CSV and PDF export with branded headers (SlowBooks Pro 2026 wordmark + your company logo when uploaded)
• 10-query single-roundtrip backend (~26 ms on 3000 invoices + 1500 bills)

AI Insights (BYOK across 7 providers)

• One-shot brief — click ✨ AI Insights for a "3 observations / 3 risks / 3 recommendations" executive summary on the current snapshot
• 11 predefined analyses — curated dropdown spanning Customers & Sales, Vendors & Bills, Banking & Cash, Financial Reports, and Tax. Each pre-fetches data server-side and sends one focused prompt — works on every provider including Groq, where Llama tool-calling occasionally trips over the legacy <function=...> syntax
• Provider configuration in Settings → AI Insights with curated model dropdowns + Custom… escape hatch
• API keys encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA256)
• Self-hosted Cloudflare Worker Gateway option keeps real AI credentials inside your Cloudflare account

⚠️ Verified providers as of v2.0.0: Only Groq has been validated end-to-end against a live API key. The other six providers (xAI Grok, Cloudflare Workers AI, Cloudflare Worker Gateway, Anthropic Claude, OpenAI, Google Gemini) are wire-implemented and unit-tested but not exercised against live credentials. Accepting working PRs that confirm or fix any provider's config.

Phase 11 — Inventory, Drill-Down, Duplicate Detection, Saved Reports

• Real perpetual-inventory ledger with weighted-average cost, automatic COGS journal entries, voids that reverse, and inventory_movements audit trail
• Items form exposes the full inventory toolset: Track Inventory checkbox, Qty on Hand, Reorder Point, Asset Account
• Adjust modal with Add / Remove / Set-to-count modes for receipts, shrinkage, count corrections (with optional unit-cost re-weighting)
• Drill-down — P&L and Balance Sheet account names are click-through, opening a modal of source transactions with running balance and links to the originating invoice/bill/payment/JE
• Fuzzy duplicate detection on customer/vendor names — difflib similarity ≥ 0.85 after normalizing case, punctuation, and business suffixes (Inc/LLC/Corp). Confirm-and-create-anyway dialog when triggered
• Saved Reports — name and one-click rerun your favorite report configs (P&L, Balance Sheet, A/R Aging, Sales Tax, GL, Income by Customer, Cash Flow)

Auth, security, ops

• First-run setup wizard collects operator name + email + company name + email + password
• argon2id password hashing, slowapi rate limiting (5 logins/minute), session cookie auth
• External security audit pass:
  • SSRF guards on Cloudflare account ID (^[a-f0-9]{32}$) and Worker URL (no plain HTTP, no embedded creds, no private/loopback/link-local/multicast IPs, no AWS metadata endpoint, max 2048 chars)
  • CSV formula injection protection on =, +, -, @, tab, CR
  • Schema-validated AI config payloads via Pydantic
  • Constant-time secret compare in the Cloudflare Worker
• Dark mode now actually works on every report subtotal row (missing --gray-50 fix)

---

⚠️ Breaking changes

• Authentication is now required. First-run setup wizard prompts for a password; subsequent visits require login. Existing installs upgrading from v1.x: on first launch you'll see the setup screen — set your operator credentials there.
• AI free-form chat panel removed. The /api/analytics/ai-query endpoint that drove it is retained for power-user API calls, but the SPA now uses the predefined-analysis dropdown. The Groq Llama tool-calling fragility was the deciding factor — predefined analyses work reliably across every provider.
• AI provider config moved. No longer reachable via a ⚙ AI gear button on the analytics page; now lives at Settings → AI Insights. The analytics ✨ AI Insights button still bounces you there if no provider is configured.

🛠 Upgrade notes

• Run alembic upgrade head after pulling — this applies the Phase 11 inventory migration (f6a7b8c9d0e1_phase_11_inventory.py)
• Existing items remain track_inventory = false; opt in per item via the Items form
• Existing settings rows are preserved; new operator_name and operator_email keys default to empty (set them at Settings → Company Info or via the setup wizard if the password is also unset)
• If you used the AI free-form chat panel, your usage shifts to the predefined-analysis dropdown — same data sources, more reliable execution

📊 Test coverage

168 pytest tests, all green — covering AI security, analytics aggregations, auth flow, CORS, CSV safety, attachments, IIF import, invoice posting/editing, reporting, rate limiting, inventory posting (COGS, weighted-avg cost, voids), drill-down queries, duplicate detection, and saved reports. Full suite runs in ~13 seconds with zero network dependencies.

---

🙏 Contributors

• VonHoltenCodes — Creator
• PNWImport — Phase 9 analytics, Phase 9.5 AI insights with 7-provider support, Phase 9.7 auth/rate-limiting, Phase 11 inventory ledger / drill-down / duplicate detection / saved reports, Cloudflare Worker gateway, security audit pass
• jake-378 — Backup UI fixes, report period selectors, invoice terms autofill
• WC3D — Jinja2 XSS security fix
• v2.0.0 walkthrough patches built with Claude Code — closing remaining UI gaps for ship

🤖 Generated with Claude Code