Merge pull request #497 from icovada/pagination_simplification

refactor(api): apply CustomNumberPagination to all API views
Merge pull request #499 from eitchtee/weblate
2026-01-12 04:10:29 +01:00 · 2026-01-11 13:58:57 -03:00 · 2026-01-11 13:55:39 -03:00 · 2026-01-11 16:55:26 +00:00 · 2026-01-11 13:24:30 +00:00 · 2026-01-11 12:20:27 +01:00
521 changed files with 78552 additions and 17832 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -0,0 +1 @@
+__pycache__/
--- a/.env.example
+++ b/.env.example
@@ -1,6 +1,7 @@
 SERVER_NAME=wygiwyh_server
 DB_NAME=wygiwyh_pg
-PROCRASTINATE_NAME=wygiwyh_procrastinate
+
+TZ=UTC # Change to your timezone. This only affects some async tasks.

 DEBUG=false
 URL = https://...
@@ -9,6 +10,11 @@ SECRET_KEY=<GENERATE A SAFE SECRET KEY AND PLACE IT HERE>
 DJANGO_ALLOWED_HOSTS=localhost 127.0.0.1 [::1]
 OUTBOUND_PORT=9005

+# Uncomment these variables to automatically create an admin account using these credentials on startup.
+# After your first successfull login you can remove these variables from your file for safety reasons.
+#ADMIN_EMAIL=<ENTER YOUR EMAIL>
+#ADMIN_PASSWORD=<YOUR SAFE PASSWORD>
+
 SQL_DATABASE=wygiwyh
 SQL_USER=wygiwyh
 SQL_PASSWORD=<INSERT A SAFE PASSWORD HERE>
@@ -23,3 +29,12 @@ WEB_CONCURRENCY=4
 ENABLE_SOFT_DELETE=false
 # If ENABLE_SOFT_DELETE is true, transactions deleted for more than KEEP_DELETED_TRANSACTIONS_FOR days will be truly deleted. Set to 0 to keep all.
 KEEP_DELETED_TRANSACTIONS_FOR=365
+
+TASK_WORKERS=1 # This only work if you're using the single container option. Increase to have more open queues via procrastinate, you probably don't need to increase this.
+
+# OIDC Configuration. Uncomment the lines below if you want to add OIDC login to your instance
+#OIDC_CLIENT_NAME=""
+#OIDC_CLIENT_ID=""
+#OIDC_CLIENT_SECRET=""
+#OIDC_SERVER_URL=""
+#OIDC_ALLOW_SIGNUP=true
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,4 @@
+# These are supported funding model platforms
+
+github: eitchtee
+custom: ["https://www.paypal.com/donate/?hosted_button_id=FFWM4W9NQDMM6"]
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,43 +2,84 @@ name: Release Pipeline

 on:
  release:
-    types: [created]
+    types: [ created ]
+  push:
+    branches: [ main ]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Custom tag name for the image'
+        required: true
+        type: string
+      ref:
+        description: 'Git ref to checkout'
+        required: true
+        default: 'main'
+        type: string

 env:
  IMAGE_NAME: wygiwyh

+concurrency:
+  group: release
+  cancel-in-progress: false
+
 jobs:
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
      contents: read
+      packages: write # Needed if you switch to GHCR, good practice

    steps:
      - name: Checkout code
        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.ref || github.ref }}

      - name: Log in to Docker Hub
-        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

+      # This action handles all the logic for tags (nightly vs release vs custom)
+      - name: Docker Metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}
+          tags: |
+            # Logic for Push to Main -> nightly
+            type=raw,value=nightly,enable=${{ github.event_name == 'push' }}
+            # Logic for Release -> semver and latest
+            type=semver,pattern={{version}},enable=${{ github.event_name == 'release' }}
+            type=raw,value=latest,enable=${{ github.event_name == 'release' }}
+            # Logic for Manual Dispatch -> custom input
+            type=raw,value=${{ inputs.tag }},enable=${{ github.event_name == 'workflow_dispatch' }}
+
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

-      - name: Build and push image
+      - name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ./docker/prod/django/Dockerfile
          push: true
          provenance: false
-          tags: |
-            ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:latest
-            ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+          # Pass the calculated tags from the meta step
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            VERSION=${{ steps.meta.outputs.version }}
          platforms: linux/amd64,linux/arm64
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
+
+          # --- CACHE CONFIGURATION ---
+          # We set a specific 'scope' key.
+          # This allows the Release tag to see the cache created by the Main branch.
+          cache-from: type=gha,scope=build-cache
+          cache-to: type=gha,mode=max,scope=build-cache
--- a/.github/workflows/translations.yml
+++ b/.github/workflows/translations.yml
@@ -0,0 +1,73 @@
+name: Django Translation Update
+
+on:
+  push:
+    branches: [ main ]
+  # Add manual trigger
+  workflow_dispatch:
+    inputs:
+      reason:
+        description: 'Reason for running'
+        required: false
+        default: 'Manual update of translation files'
+
+# Ensure only one translation job runs at a time
+concurrency:
+  group: django-translations
+  cancel-in-progress: false
+
+jobs:
+  update-translations:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    # Skip on PRs from forks (which don't have write permissions)
+    # Allow manual runs and pushes to main
+    if: github.event_name == 'workflow_dispatch' || github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository)
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PAT }}
+          ref: ${{ github.head_ref }}
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Set up Python 3.11
+        run: uv python install 3.11
+
+      - name: Install dependencies
+        run: uv sync --frozen --no-dev
+
+      - name: Install gettext
+        run: sudo apt-get install -y gettext
+
+      - name: Run makemessages
+        run: |
+          cd app
+          uv run python manage.py makemessages -a
+
+      - name: Check for changes
+        id: check_changes
+        run: |
+          if git diff --exit-code --quiet app/locale/; then
+            echo "No translation changes detected"
+          else
+            echo "changes_detected=true" >> $GITHUB_OUTPUT
+            echo "Translation changes detected"
+          fi
+
+      - name: Commit translation files
+        if: steps.check_changes.outputs.changes_detected == 'true'
+        uses: stefanzweifel/git-auto-commit-action@v5
+        with:
+          push_options: --force
+          commit_message: |
+            chore(locale): update translation files
+            
+            [skip ci] Automatically generated by Django makemessages workflow
+          file_pattern: "app/locale/**/*.po"
--- a/.gitignore
+++ b/.gitignore
@@ -123,6 +123,7 @@ celerybeat.pid

 # Environments
 .env
+.prod.env
 .venv
 env/
 venv/
@@ -160,3 +161,7 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 .idea/
+
+node_modules/
+postgres_data/
+.prod.env
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -0,0 +1,8 @@
+{
+    "djlint.showInstallError": false,
+    "files.associations": {
+        "*.css": "tailwindcss"
+    },
+    "tailwindCSS.experimental.configFile": "frontend/src/styles/tailwind.css",
+    "djlint.profile": "django",
+}
--- a/README.md
+++ b/README.md
@@ -13,6 +13,8 @@
  <a href="#key-features">Features</a> •
  <a href="#how-to-use">Usage</a> •
  <a href="#how-it-works">How</a> •
+  <a href="#mcp-server">MCP Server</a> •
+  <a href="#help-us-translate-wygiwyh">Translate</a> •
  <a href="#caveats-and-warnings">Caveats and Warnings</a> •
  <a href="#built-with">Built with</a>
 </p>
@@ -28,15 +30,15 @@ Managing money can feel unnecessarily complex, but it doesn’t have to be. WYGI

 By sticking to this straightforward approach, you avoid dipping into your savings while still keeping tabs on where your money goes.

-While this philosophy is simple, finding tools to make it work wasn’t. I initially used a spreadsheet, which served me well for years—until it became unwieldy as I started managing multiple currencies, accounts, and investments. I tried various financial management apps, but none met my key requirements:
+While this philosophy is simple, finding tools to make it work wasn’t. I initially used a spreadsheet, which served me well for years, until it became unwieldy as I started managing multiple currencies, accounts, and investments. I tried various financial management apps, but none met my key requirements:

 1. **Multi-currency support** to track income and expenses in different currencies.
-2. **Not a budgeting app** — as I dislike budgeting constraints.
+2. **Not a budgeting app** as I dislike budgeting constraints.
 3. **Web app usability** (ideally with mobile support, though optional).
 4. **Automation-ready API** to integrate with other tools and services.
 5. **Custom transaction rules** for credit card billing cycles or similar quirks.

-Frustrated by the lack of comprehensive options, I set out to build **WYGIWYH** — an opinionated yet powerful tool that I believe will resonate with like-minded users.
+Frustrated by the lack of comprehensive options, I set out to build **WYGIWYH**, an opinionated yet powerful tool that I believe will resonate with like-minded users.

 # Key Features

@@ -50,6 +52,17 @@ Frustrated by the lack of comprehensive options, I set out to build **WYGIWYH**
 * **Built-in Dollar-Cost Average (DCA) tracker**: Essential for tracking recurring investments, especially for crypto and stocks.
 * **API support for automation**: Seamlessly integrate with existing services to synchronize transactions.

+# Demo
+
+You can try WYGIWYH on [wygiwyh-demo.herculino.com](https://wygiwyh-demo.herculino.com/) with the credentials below:
+
+> [!NOTE]
+> E-mail: `demo@demo.com`
+> 
+> Password: `wygiwyhdemo`
+
+Keep in mind that **any data you add will be wiped in 24 hours or less**. And that **most automation features like the API, Rules, Automatic Exchange Rates and Import/Export are disabled**.
+
 # How To Use

 To run this application, you'll need [Docker](https://docs.docker.com/engine/install/) with [docker-compose](https://docs.docker.com/compose/install/).
@@ -75,10 +88,13 @@ $ nano .env # or any other editor you want to use
 # Run the app
 $ docker compose up -d

-# Create the first admin account
+# Create the first admin account. This isn't required if you set the enviroment variables: ADMIN_EMAIL and ADMIN_PASSWORD.
 $ docker compose exec -it web python manage.py createsuperuser
 ```

+> [!NOTE]
+> If you're using Unraid, you don't need to follow these steps, use the app on the store. Make sure to read the [Unraid section](#unraid) and [Environment Variables](#environment-variables) for an explanation of all available variables
+
 ## Running locally

 If you want to run WYGIWYH locally, on your env file:
@@ -90,471 +106,91 @@ If you want to run WYGIWYH locally, on your env file:
 You can now access localhost:OUTBOUND_PORT

 > [!NOTE]
-> If you're planning on running this behind Tailscale or other similar service also add your machine given IP to `DJANGO_ALLOWED_HOSTS`
+> - If you're planning on running this behind Tailscale or other similar service also add your machine given IP to `DJANGO_ALLOWED_HOSTS`
+> - If you're going to use another IP that isn't localhost, add it to `DJANGO_ALLOWED_HOSTS`, without `http://`
+
+
+## Latest changes
+Features are only added to `main` when ready, if you want to run the latest version, you must build from source or use the `:nightly` tag on docker. Keep in mind that there can be undocumented breaking changes.
+
+All the required Dockerfiles are [here](https://github.com/eitchtee/WYGIWYH/tree/main/docker/prod).
+
+## Unraid
+
+[nwithan8](https://github.com/nwithan8) has kindly provided a Unraid template for WYGIWYH, have a look at the [unraid_templates](https://github.com/nwithan8/unraid_templates) repo.
+
+WYGIWYH is available on the Unraid Store. You'll need to provision your own postgres (version 15 or up) database.
+
+To create the first user, open the container's console using Unraid's UI, by clicking on WYGIWYH icon on the Docker page and selecting `Console`, then type `python manage.py createsuperuser`, you'll them be prompted to input your e-mail and password.
+
+## Environment Variables
+
+| variable                      | type        | default                           | explanation                                                                                                                                                                                                                              |
+|-------------------------------|-------------|-----------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| INTERNAL_PORT                 | int         | 8000                              | The port on which the app listens on. Defaults to 8000 if not set.                                                                                                                                                                       |
+| DJANGO_ALLOWED_HOSTS          | string      | localhost 127.0.0.1               | A list of space separated domains and IPs representing the host/domain names that WYGIWYH site can serve. [Click here](https://docs.djangoproject.com/en/5.1/ref/settings/#allowed-hosts) for more details                               |
+| HTTPS_ENABLED                 | true\|false | false                             | Whether to use secure cookies. If this is set to true, the cookie will be marked as “secure”, which means browsers may ensure that the cookie is only sent under an HTTPS connection                                                     |
+| URL                           | string      | http://localhost http://127.0.0.1 | A list of space separated domains and IPs (with the protocol) representing the trusted origins for unsafe requests (e.g. POST). [Click here](https://docs.djangoproject.com/en/5.1/ref/settings/#csrf-trusted-origins ) for more details |
+| SECRET_KEY                    | string      | ""                                | This is used to provide cryptographic signing, and should be set to a unique, unpredictable value.                                                                                                                                       |
+| DEBUG                         | true\|false | false                             | Turns DEBUG mode on or off, this is useful to gather more data about possible errors you're having. Don't use in production.                                                                                                             |
+| SQL_DATABASE                  | string      | None *required                    | The name of your postgres database                                                                                                                                                                                                       |
+| SQL_USER                      | string      | user                              | The username used to connect to your postgres database                                                                                                                                                                                   |
+| SQL_PASSWORD                  | string      | password                          | The password used to connect to your postgres database                                                                                                                                                                                   |
+| SQL_HOST                      | string      | localhost                         | The address used to connect to your postgres database                                                                                                                                                                                    |
+| SQL_PORT                      | string      | 5432                              | The port used to connect to your postgres database                                                                                                                                                                                       |
+| SESSION_EXPIRY_TIME           | int         | 2678400 (31 days)                 | The age of session cookies, in seconds. E.g. how long you will stay logged in                                                                                                                                                            |
+| ENABLE_SOFT_DELETE            | true\|false | false                             | Whether to enable transactions soft delete, if enabled, deleted transactions will remain in the database. Useful for imports and avoiding duplicate entries.                                                                             |
+| KEEP_DELETED_TRANSACTIONS_FOR | int         | 365                               | Time in days to keep soft deleted transactions for. If 0, will keep all transactions indefinitely. Only works if ENABLE_SOFT_DELETE is true.                                                                                             |
+| TASK_WORKERS                  | int         | 1                                 | How many workers to have for async tasks. One should be enough for most use cases                                                                                                                                                        |
+| DEMO                          | true\|false | false                             | If demo mode is enabled.                                                                                                                                                                                                                 |
+| ADMIN_EMAIL                   | string      | None                              | Automatically creates an admin account with this email. Must have `ADMIN_PASSWORD` also set.                                                                                                                                             |
+| ADMIN_PASSWORD                | string      | None                              | Automatically creates an admin account with this password. Must have `ADMIN_EMAIL` also set.                                                                                                                                             |
+| CHECK_FOR_UPDATES             | true\|false | true                              | Check and notify users about new versions. The check is done by doing a single query to Github's API every 12 hours.                                                                                                                     |
+| DJANGO_VITE_DEV_MODE          | true\|false | false                             | Enables Vite dev server mode for frontend development. When true, assets are served from Vite's dev server instead of the build manifest. For development only!                                                                          |
+| DJANGO_VITE_DEV_SERVER_PORT   | int         | 5173                              | The port where Vite's dev server is running. Only used when DJANGO_VITE_DEV_MODE is true. For development only!                                                                                                                          |
+| DJANGO_VITE_DEV_SERVER_HOST   | string      | localhost                         | The host where Vite's dev server is running. Only used when DJANGO_VITE_DEV_MODE is true. For development only!                                                                                                                          |
+
+## OIDC Configuration
+
+WYGIWYH supports login via OpenID Connect (OIDC) through `django-allauth`. This allows users to authenticate using an external OIDC provider.

 > [!NOTE]
-> If you're going to use another IP that isn't localhost, add it to `DJANGO_ALLOWED_HOSTS`, without `http://`
+> Currently only OpenID Connect is supported as a provider, open an issue if you need something else.

+To configure OIDC, you need to set the following environment variables:

-## Building from source
+| Variable             | Description                                                                                                                                                                                                                                            |
+|----------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `OIDC_CLIENT_NAME`   | The name of the provider. will be displayed in the login page. Defaults to `OpenID Connect`                                                                                                                                                            |
+| `OIDC_CLIENT_ID`     | The Client ID provided by your OIDC provider.                                                                                                                                                                                                          |
+| `OIDC_CLIENT_SECRET` | The Client Secret provided by your OIDC provider.                                                                                                                                                                                                      |
+| `OIDC_SERVER_URL`    | The base URL of your OIDC provider's discovery document or authorization server (e.g., `https://your-provider.com/auth/realms/your-realm`). `django-allauth` will use this to discover the necessary endpoints (authorization, token, userinfo, etc.). |
+| `OIDC_ALLOW_SIGNUP`  | Allow the automatic creation of inexistent accounts on a successfull authentication. Defaults to `true`.                                                                                                                                               |

-Features are only added to `main` when ready, if you want to run the latest version, you must build from source.
+**Callback URL (Redirect URI):**

-```bash
-# Create a folder for WYGIWYH (optional)
-$ mkdir WYGIWYH
+When configuring your OIDC provider, you will need to provide a callback URL (also known as a Redirect URI). For WYGIWYH, the default callback URL is:

-# Go into the folder
-$ cd WYGIWYH
+`https://your.wygiwyh.domain/auth/oidc/<OIDC_CLIENT_NAME>/login/callback/`

-# Clone this repository
-$ git clone https://github.com/eitchtee/WYGIWYH.git .
-
-$ cp docker-compose.prod.yml docker-compose.yml
-$ cp .env.example .env
-# Now edit both files as you see fit
-
-# Run the app
-$ docker compose up -d --build
-
-# Create the first admin account
-$ docker compose exec -it web python manage.py createsuperuser
-```
+Replace `https://your.wygiwyh.domain` with the actual URL where your WYGIWYH instance is accessible. And `<OIDC_CLIENT_NAME>` with the slugfied value set in OIDC_CLIENT_NAME or the default `openid-connect` if you haven't set this variable.

 # How it works

-## Models
+Check out our [Wiki](https://github.com/eitchtee/WYGIWYH/wiki) for more information.

-### Transactions
-
-Transactions are the core feature of WYGIWYH, representing expenses or income in your accounts. Each transaction consists of the following fields:
-
-#### Type
-
- **Income**: A positive amount entering your account
- **Expense**: A negative amount exiting your account
-
-#### Paid Status
-
-A transaction can be either:
-
- **Current**: When marked as paid
- **Projected**: When marked as unpaid
-
-#### Account
-
-The account associated with the transaction. Required, limited to one account per transaction.
-
-#### Entity
-
-The party involved in the transaction:
-
- For **Income**: The paying entity
- For **Expense**: The receiving entity
-
-Optional field.
-
-#### Date
-
-The date when the transaction occurred. Required.
-
-#### Reference Date
-
-One of **WYGIWYH**'s key features. The reference date determines which month a transaction should count towards. For example, you can have a transaction that occurred on January 26th count towards February's finances.
-
-Optional - defaults to the transaction date's month if not specified.
-
-> [!CAUTION]
-> While designed primarily for credit card closing dates, this feature allows for debt rolling across months. Use responsibly to maintain accurate financial tracking.
-
-#### Type
-
- Income, meaning a positive amount (usually) entering your account
- Expense, meaning a negative amount exiting your account
-
-#### Description
-
-The name or purpose of the transaction. Required.
-
-#### Amount
-
-The monetary value of the transaction. Required.
-
-#### Category
-
-The primary classification of the transaction. Optional.
-
-#### Tags
-
-Additional labels for transaction categorization. Optional.
-
-#### Notes
-
-Additional information about the transaction. Optional.
-
-![img_4.png](.github/img/readme_transaction.png)
-
-### Installment Plan
-
-An Installment Plan is a helper model that generates a series of recurring transactions over a fixed period.
-
-#### Core Fields
-
- **Account**: The account for all transactions in the plan. Required.
- **Entity**: The paying or receiving party for all transactions. Optional.
- **Description**: The name of the installment plan, used for all transactions. Required.
- **Notes**: Additional information applied to all transactions. Optional.
-
-#### Installment Configuration
-
- **Number of Installments**: Total number of transactions to create (e.g., 1/10, 2/10)
- **Installment Start**: Initial counting point
- **Start Date**: Date of the first transaction
- **Reference Date**: Reference date for the first transaction
- **Recurrence**: Frequency of transactions (e.g., Monthly)
-
-![img_1.png](.github/img/readme_installment_plan.png)
-
-### Transaction Details
-
- **Amount**: Value for each transaction. Required.
- **Category**: Primary classification for all transactions. Optional.
- **Tags**: Labels applied to all transactions. Optional.
-
-### Recurring Transaction
-A Recurring Transaction is a helper model that generates recurring transactions indefinitely or until a certain date.
-
-#### Core Fields
-
- **Account**: The account for all transactions in the plan. Required.
- **Entity**: The paying or receiving party for all transactions. Optional.
- **Description**: The name of the recurring transaction, used for all transactions. Required.
- **Notes**: Additional information applied to all transactions. Optional.
-
-#### Recurring Transaction Configuration
-
- **Start Date**: Date of the first transaction. Required.
- **Reference Date**: Reference date for the first transaction. Optional.
- **Recurrence Type**: Frequency of transactions (e.g., Monthly). Required.
- **Recurrence Interval**: The interval between transactions (e.g. every 1 month, every 2 weeks, etc.). Required.
- **End date**: When new transactions should stop being created. Optional.
-
-#### Transaction Details
-
- **Amount**: Value for each transaction. Required.
- **Category**: Primary classification for all transactions. Optional.
- **Tags**: Labels applied to all transactions. Optional.
-
-#### Other information
-
- Recurring transactions are checked and created every midnight using Procrastinate.
- **WYGIWYH** tries to keep at most **6** future transactions created at any time.
- If you delete a recurring transaction it will not be recreated.
- You can stop or pause a recurring transaction at any time on the config page (/recurring-trasanctions/)
-
-![img_3.png](.github/img/readme_recurring_transaction.png)
-
-### Account
-
-Accounts represent different financial entities where transactions occur. They have the following attributes:
-
- **Name**: A unique identifier for the account.
- **Group**: An optional [account group](#account-groups) the account belongs to for organizational purposes.
- **Currency**: The primary [currency](#currency) of the account.
- **Exchange Currency**: An optional currency used for exchange rate calculations.
- **Is Asset**: A boolean indicating if the account is considered an asset (counts towards net worth).
- **Is Archived**: A boolean indicating if the account is archived (doesn't show up in active lists or count towards net worth).
-
-### Account Groups
-
-Account Groups are used to organize accounts into logical categories. They consist of:
-
- **Name**: A unique identifier for the group.
-
-### Currency
-
-Currencies represent different monetary units. They include:
-
-* **Code**: A unique identifier for the currency (e.g., USD, EUR).
-* **Name**: The full name of the currency.
-* **Decimal Place**: The number of decimal places used for the currency.
-* **Prefix**: An optional symbol or text that comes before the amount.
-* **Suffix**: An optional symbol or text that comes after the amount.
-
-### Exchange Rate
-
-Exchange Rates store conversion rates between currencies:
-
-* **From Currency**: The source currency.
-* **To Currency**: The target currency.
-* **Rate**: The conversion rate.
-* **Date**: The date the rate was recorded or is valid for.
-
-### Category
-
-Categories are used to classify transactions:
-
-* **Name**: A unique identifier for the category.
-* **Muted**: Muted categories won't count towards your monthly total.
-* **Active**: A boolean indicating if the category is currently in use. This will disable its use on new transactions.
-
-### Tag
-
-Tags provide additional labeling for transactions:
-
-* **Name**: A unique identifier for the tag.
-* **Active**: A boolean indicating if the category is currently in use. This will disable its use on new transactions.
-
-### Entity
-
-Entities represent parties involved in transactions:
-
-* **Name**: A unique identifier for the entity.
-* **Active**: A boolean indicating if the entity is currently in use. This will disable its use on new transactions.
-
---
-
-## Helper actions
-
-### Transfer
-
-A transfer happens when you move a monetary value from one account to another. This will create two transactions, one expense and one income with the values set by the user.
-
-Contrary to other finance trackers, due to our multi-currency support, **WYGIWYH**'s transfer system allows for non-zero transfers.
-
-![img.png](.github/img/readme_transfer.png)
-
-### Balance (Account Reconciliation)
-
-A balance is a easy way of updating your accounts balance. It creates a transaction with the difference between the balance currently in **WYGIWYH** and the new balance informed by you.
-
-This can be useful for savings accounts or other interest accruing investments.![img_2.png](.github/img/readme_balance.png)
-
---
-
-## Views
-
-### Monthly
-
-The Monthly view provides an overview of your financial activity for a specific month. It includes:
-
-* Total income and expenses for the month
-* Daily spending allowance calculation
-* List of transactions for the month
+# Help us translate WYGIWYH!
+<a href="https://translations.herculino.com/engage/wygiwyh/">
+<img src="https://translations.herculino.com/widget/wygiwyh/open-graph.png" alt="Translation status" />
+</a>

 > [!NOTE]
-> Reference dates are taken into account here.
+> Login with your github account

-### Yearly by currency
+# MCP Server

-This view gives you a yearly summary of your finances grouped by currency. It shows:
+[IZIme07](https://github.com/IZIme07) has kindly created an MCP Server for WYGIWYH that you can self-host. [Check it out at MCP-WYGIWYH](https://github.com/ReNewator/MCP-WYGIWYH)!

-* Total income and expenses for each currency
-* Monthly breakdown of income and expenses
-
-### Yearly by account
-
-Similar to the [yearly by currency](#yearly-by-currency) view, but groups the data by account instead.
-
-### Calendar
-
-The Calendar view presents your transactions in a monthly calendar format, allowing you to see your financial activity day by day. It includes:
-
-* Visual representation of daily transaction totals
-* Ability to view details of transactions for each day
-
-> [!NOTE]
-> Reference dates are **not** taken into account here.
-
-### Networh
-
-#### Current
-
-The Current Net Worth view shows your present financial standing, including:
-
-* Total value of all asset accounts
-* Breakdown of assets by account and currency
-* Historical net worth trend
-
-#### Projected
-
-The Projected Net Worth view estimates your future financial position based on current data and recurring transactions. It includes:
-
-* Your total net worth with projected and current transactions
-* Breakdown of assets by account and currency
-* Historical and future net worth trend
-
-### All Transactions
-
-This view provides a comprehensive list of all transactions across all accounts. Features include:
-
-* Advanced filtering and sorting options
-* Detailed information
-
-You can use this to see how much you spent on a given category, or a given day, etc..
-
-### Configuration and Management
-
-#### Management
-The Management section in the navbar allows you to add and edit most elements of WYGIWYH, including:
-
-* Accounts and Groups
-* Currencies and Exchange Rates
-* Categories, Tags and Entities
-* Rules
-
-#### User Settings
-
-WYGIWYH allows users to personalize their experience through customizable settings. Each user can configure:
-
-* **Language**: Choose your preferred interface language.
-* **Timezone**: Set your local timezone for accurate date and time display.
-* **Start Page**: Select which page you want to see first when you log in.
-* **Sound Preferences**: Toggle sound effects on or off.
-* **Amount Display**: Choose to show or hide monetary amounts by default.
-
-To access and modify these settings:
-
-1. Click on your username in the top-right corner of the page.
-2. Select "Settings" from the dropdown menu.
-3. Adjust your preferences as desired.
-4. Click "Save" to apply your changes.
-
-These settings ensure that WYGIWYH adapts to your personal preferences and working style.
-
-#### Django Admin
-From here you can also access Django's own admin site.
-
-> [!WARNING]
-> Most side effects aren't triggered from the admin.
-> Only use it if you know what you're doing or were told by a developer to do so.
-
---
-
-## Tools
-
-### Calculator
-
-The calculator is a floating widget that can be toggled by clicking the calculator icon on the navbar or by pressing <kbd>Alt</kbd> + <kbd>C</kbd> on any page.
-
-It allows for any math expression supported by [math.js](https://mathjs.org).
-
-![calculator](.github/img/readme_calculator.gif)
-
-### Dollar Cost Average Tracker
-
-The DCA Tracker can be accessed from the navbar's **Tools** menu.
-
-It allows for tracking DCA strategies and getting helpful information and insights.
-
-> [!IMPORTANT]
-> Currently DCA exists separately from your main transactions. You will need to add your entries manually.
-
-<img src=".github/img/readme_dca_1.png" width="45%"></img> <img src=".github/img/readme_dca_2.png" width="45%"></img>
-
-### Unit Price Calculator
-
-The Unit Price Calculator can be accessed from the navbar's **Tools** menu.
-
-This is a self-contained tool for comparing and finding the most cost-efficient item quickly and easily.
-
-Input the price and the amount of each item, the cheapeast will be highlighted in green, and the most expensive in red.
-
-You can add additional items by clicking the _Add_ button at the end of the page.
-
-> [!NOTE]
-> This doesn't do unit convertion. The amount of all items needs to be on the same the unit for proper functioning.
-
-![img.png](.github/img/readme_unit_price_calculator.png)
-
-### Currency Converter
-
-The Currency Converter is a tool that allows you to quickly convert amounts between different currencies.
-
-> [!NOTE]
-> There's no external Exchange Rate fetching. This uses the Exchange Rates configured in the [Management](#configuration-and-management) page for [Exchange Rates](#exchange-rate)
-
-## Automation
-
-### API
-
-WYGIWYH has a comprehensive API, it's documentation can be accessed on `<your-wygiwyh-url>/api/docs/`
-
-> [!NOTE]
-> While the API works, there's still much to be added to it to equipare functionality with the main web app.
-
-### Transaction Rules
-
-Transaction Rules are a powerful feature in WYGIWYH that allow for automatic modification of transactions based on specified criteria. This can save time and ensure consistency in your financial tracking.
-
-Key Aspects of Transaction Rules:
-
-* **Conditions**: Set specific criteria that a transaction must meet for the rule to apply. This can include attributes like description, amount, account, etc.
-* **Actions**: Define what changes should be made to a transaction when the conditions are met. This can include setting categories, tags, or modifying other fields.
-* **Activation Options**: Rules can be set to apply when transactions are created, updated, or both.
-
-#### Actions and Conditions
-
-When creating a new rule, you will need to add a Condition and, later, Actions.
-
-Both use a limited subset of Python, via [SimpleEval](https://github.com/danthedeckie/simpleeval).
-
-The Condition must evaluate to True or False, and the Action must evaluate to a value that will be set on the selected field.
-
-You may use any of the available [variables](#available-variables) and [functions](#available-functions).
-
-#### Available variables
-
-* `account_name`
-* `account_id`
-* `account_group_name`
-* `account_group_id`
-* `is_asset_account`
-* `is_archived_account`
-* `category_name`
-* `category_id`
-* `tag_names`
-* `tag_ids`
-* `entities_names`
-* `entities_ids`
-* `is_expense`
-* `is_income`
-* `is_paid`
-* `description`
-* `amount`
-* `notes`
-* `date`
-* `reference_date`
-
-#### Available functions
-
-* `relativedelta`
-
-#### Examples
-
-Add a tag to an income transaction if it happens in a specific account
-
-```
-If...
-account_name == "My Investing Account" and is_income
-
-Then...
-Set Tags to
-tag_names + ["Yield"]
-```
-
---
-
-Move credit card transactions to next month when they happen at a cutoff date
-
-```
-If...
-account_name == "My credit card" and date.day >= 26 and reference_date.month == date.month
-
-Then...
-Set Reference Date to
-reference_date + relativedelta(months=1)).replace(day=1)
-```
 # Caveats and Warnings

 - I'm not an accountant, some terms and even calculations might be wrong. Make sure to open an issue if you see anything that could be improved.
--- a/app/WYGIWYH/settings.py
+++ b/app/WYGIWYH/settings.py
@@ -11,9 +11,11 @@ https://docs.djangoproject.com/en/5.1/ref/settings/
 """

 import os
+import re
 import sys
 from pathlib import Path

+from django.utils.text import slugify

 SITE_TITLE = "WYGIWYH"
 TITLE_SEPARATOR = "::"
@@ -31,10 +33,8 @@ SECRET_KEY = os.getenv("SECRET_KEY", "")
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = os.getenv("DEBUG", "false").lower() == "true"

-ALLOWED_HOSTS = os.environ.get("DJANGO_ALLOWED_HOSTS", "localhost 127.0.0.1").split(" ")
-CSRF_TRUSTED_ORIGINS = os.environ.get("URL", "http://localhost http://127.0.0.1").split(
-    " "
-)
+ALLOWED_HOSTS = os.getenv("DJANGO_ALLOWED_HOSTS", "localhost 127.0.0.1").split(" ")
+CSRF_TRUSTED_ORIGINS = os.getenv("URL", "http://localhost http://127.0.0.1").split(" ")

 # Application definition

@@ -44,9 +44,10 @@ INSTALLED_APPS = [
    "django.contrib.contenttypes",
    "django.contrib.sessions",
    "django.contrib.messages",
+    "django.contrib.sites",
    "whitenoise.runserver_nostatic",
    "django.contrib.staticfiles",
-    "webpack_boilerplate",
+    "django_vite",
    "django.contrib.humanize",
    "django.contrib.postgres",
    "django_browser_reload",
@@ -57,26 +58,37 @@ INSTALLED_APPS = [
    "hijack",
    "hijack.contrib.admin",
    "django_filters",
+    "import_export",
    "apps.users.apps.UsersConfig",
    "procrastinate.contrib.django",
    "apps.transactions.apps.TransactionsConfig",
    "apps.currencies.apps.CurrenciesConfig",
    "apps.accounts.apps.AccountsConfig",
-    "apps.common.apps.CommonConfig",
    "apps.net_worth.apps.NetWorthConfig",
    "apps.import_app.apps.ImportConfig",
+    "apps.export_app.apps.ExportConfig",
    "apps.api.apps.ApiConfig",
    "cachalot",
    "rest_framework",
+    "rest_framework.authtoken",
    "drf_spectacular",
    "django_cotton",
    "apps.rules.apps.RulesConfig",
    "apps.calendar_view.apps.CalendarViewConfig",
    "apps.dca.apps.DcaConfig",
    "pwa",
+    "allauth",
+    "allauth.account",
+    "allauth.socialaccount",
+    "allauth.socialaccount.providers.openid_connect",
+    "apps.common.apps.CommonConfig",
 ]

+SITE_ID = 1
+
 MIDDLEWARE = [
+    "django_browser_reload.middleware.BrowserReloadMiddleware",
+    "apps.common.middleware.thread_local.ThreadLocalMiddleware",
    "debug_toolbar.middleware.DebugToolbarMiddleware",
    "django.middleware.security.SecurityMiddleware",
    "whitenoise.middleware.WhiteNoiseMiddleware",
@@ -88,8 +100,8 @@ MIDDLEWARE = [
    "apps.common.middleware.localization.LocalizationMiddleware",
    "django.contrib.messages.middleware.MessageMiddleware",
    "django.middleware.clickjacking.XFrameOptionsMiddleware",
-    "django_browser_reload.middleware.BrowserReloadMiddleware",
    "hijack.middleware.HijackUserMiddleware",
+    "allauth.account.middleware.AccountMiddleware",
 ]

 ROOT_URLCONF = "WYGIWYH.urls"
@@ -118,20 +130,42 @@ STORAGES = {

 WHITENOISE_MANIFEST_STRICT = False

+
+def immutable_file_test(path, url):
+    # Match vite (rollup)-generated hashes, à la, `some_file-CSliV9zW.js`
+    return re.match(r"^.+[.-][0-9a-zA-Z_-]{8,12}\..+$", url)
+
+
+WHITENOISE_IMMUTABLE_FILE_TEST = immutable_file_test
+
 WSGI_APPLICATION = "WYGIWYH.wsgi.application"


 # Database
 # https://docs.djangoproject.com/en/5.1/ref/settings/#databases

+THREADS = int(os.getenv("GUNICORN_THREADS", 1))
+MAX_POOL_SIZE = THREADS + 1
+
 DATABASES = {
    "default": {
        "ENGINE": "django.db.backends.postgresql",
-        "NAME": os.environ.get("SQL_DATABASE"),
-        "USER": os.environ.get("SQL_USER", "user"),
-        "PASSWORD": os.environ.get("SQL_PASSWORD", "password"),
-        "HOST": os.environ.get("SQL_HOST", "localhost"),
-        "PORT": os.environ.get("SQL_PORT", "5432"),
+        "NAME": os.getenv("SQL_DATABASE"),
+        "USER": os.getenv("SQL_USER", "user"),
+        "PASSWORD": os.getenv("SQL_PASSWORD", "password"),
+        "HOST": os.getenv("SQL_HOST", "localhost"),
+        "PORT": os.getenv("SQL_PORT", "5432"),
+        "CONN_MAX_AGE": 0,
+        "CONN_HEALTH_CHECKS": True,
+        "OPTIONS": {
+            "pool": {
+                "min_size": 1,
+                "max_size": MAX_POOL_SIZE,
+                "timeout": 10,
+                "max_lifetime": 600,
+                "max_idle": 300,
+            },
+        },
    }
 }

@@ -162,12 +196,108 @@ AUTH_USER_MODEL = "users.User"

 LANGUAGE_CODE = "en"
 LANGUAGES = (
+    ("af", "Afrikaans"),
+    ("ar", "العربية"),
+    ("ar-dz", "العربية (الجزائر)"),  # Algerian Arabic often uses the base name + region
+    ("ast", "Asturianu"),
+    ("az", "Azərbaycan"),
+    ("bg", "Български"),
+    ("be", "Беларуская"),
+    ("bn", "বাংলা"),
+    ("br", "Brezhoneg"),
+    ("bs", "Bosanski"),
+    ("ca", "Català"),
+    ("ckb", "کوردیی ناوەندی"),  # Central Kurdish (Sorani)
+    ("cs", "Čeština"),
+    ("cy", "Cymraeg"),
+    ("da", "Dansk"),
+    ("de", "Deutsch"),
+    ("dsb", "Dolnoserbšćina"),
+    ("el", "Ελληνικά"),
    ("en", "English"),
+    ("en-au", "English (Australia)"),
+    ("en-gb", "English (UK)"),
+    ("eo", "Esperanto"),
+    ("es", "Español"),
+    ("es-ar", "Español (Argentina)"),
+    ("es-co", "Español (Colombia)"),
+    ("es-mx", "Español (México)"),
+    ("es-ni", "Español (Nicaragua)"),
+    ("es-ve", "Español (Venezuela)"),
+    ("et", "Eesti"),
+    ("eu", "Euskara"),
+    ("fa", "فارسی"),
+    ("fi", "Suomi"),
+    ("fr", "Français"),
+    ("fy", "Frysk"),
+    ("ga", "Gaeilge"),
+    ("gd", "Gàidhlig"),
+    ("gl", "Galego"),
+    ("he", "עברית"),
+    ("hi", "हिन्दी"),
+    ("hr", "Hrvatski"),
+    ("hsb", "Hornjoserbšćina"),
+    ("hu", "Magyar"),
+    ("hy", "Հայերեն"),
+    ("ia", "Interlingua"),
+    ("id", "Bahasa Indonesia"),
+    ("ig", "Igbo"),
+    ("io", "Ido"),
+    ("is", "Íslenska"),
+    ("it", "Italiano"),
+    ("ja", "日本語"),
+    ("ka", "ქართული"),
+    ("kab", "Taqbaylit"),
+    ("kk", "Қазақша"),
+    ("km", "ខ្មែរ"),
+    ("kn", "ಕನ್ನಡ"),
+    ("ko", "한국어"),
+    ("ky", "Кыргызча"),
+    ("lb", "Lëtzebuergesch"),
+    ("lt", "Lietuvių"),
+    ("lv", "Latviešu"),
+    ("mk", "Македонски"),
+    ("ml", "മലയാളം"),
+    ("mn", "Монгол"),
+    ("mr", "मराठी"),
+    ("ms", "Bahasa Melayu"),
+    ("my", "မြန်မာဘာသာ"),
+    ("nb", "Norsk (Bokmål)"),
+    ("ne", "नेपाली"),
    ("nl", "Nederlands"),
+    ("nn", "Norsk (Nynorsk)"),
+    ("os", "Ирон"),  # Ossetic
+    ("pa", "ਪੰਜਾਬੀ"),
+    ("pl", "Polski"),
+    ("pt", "Português"),
    ("pt-br", "Português (Brasil)"),
+    ("ro", "Română"),
+    ("ru", "Русский"),
+    ("sk", "Slovenčina"),
+    ("sl", "Slovenščina"),
+    ("sq", "Shqip"),
+    ("sr", "Српски"),
+    ("sr-latn", "Srpski (Latinica)"),
+    ("sv", "Svenska"),
+    ("sw", "Kiswahili"),
+    ("ta", "தமிழ்"),
+    ("te", "తెలుగు"),
+    ("tg", "Тоҷикӣ"),
+    ("th", "ไทย"),
+    ("tk", "Türkmençe"),
+    ("tr", "Türkçe"),
+    ("tt", "Татарча"),
+    ("udm", "Удмурт"),
+    ("ug", "ئۇيغۇرچە"),
+    ("uk", "Українська"),
+    ("ur", "اردو"),
+    ("uz", "Oʻzbekcha"),
+    ("vi", "Tiếng Việt"),
+    ("zh-hans", "简体中文"),
+    ("zh-hant", "繁體中文"),
 )

-TIME_ZONE = "UTC"
+TIME_ZONE = os.getenv("TZ", "UTC")

 USE_I18N = True

@@ -183,7 +313,7 @@ STATIC_URL = "static/"
 STATIC_ROOT = BASE_DIR / "static_files"

 STATICFILES_DIRS = [
-    ROOT_DIR / "frontend/build",
+    ROOT_DIR / "frontend" / "build",
    BASE_DIR / "static",
 ]

@@ -199,9 +329,11 @@ CACHES = {
    }
 }

-WEBPACK_LOADER = {
-    "MANIFEST_FILE": ROOT_DIR / "frontend/build/manifest.json",
-}
+DJANGO_VITE_ASSETS_PATH = STATIC_ROOT
+DJANGO_VITE_MANIFEST_PATH = DJANGO_VITE_ASSETS_PATH / "manifest.json"
+DJANGO_VITE_DEV_MODE = os.getenv("DJANGO_VITE_DEV_MODE", "false").lower() == "true"
+DJANGO_VITE_DEV_SERVER_PORT = int(os.getenv("DJANGO_VITE_DEV_SERVER_PORT", "5173"))
+DJANGO_VITE_DEV_SERVER_HOST = os.getenv("DJANGO_VITE_DEV_SERVER_HOST", "localhost")

 # Default primary key field type
 # https://docs.djangoproject.com/en/5.1/ref/settings/#default-auto-field
@@ -210,10 +342,49 @@ DEFAULT_AUTO_FIELD = "django.db.models.BigAutoField"

 LOGIN_REDIRECT_URL = "/"
 LOGIN_URL = "/login/"
+LOGOUT_REDIRECT_URL = "/login/"
+
+# Allauth settings
+AUTHENTICATION_BACKENDS = [
+    "django.contrib.auth.backends.ModelBackend",  # Keep default
+    "allauth.account.auth_backends.AuthenticationBackend",
+]
+
+SOCIALACCOUNT_PROVIDERS = {"openid_connect": {"APPS": []}}
+
+if (
+    os.getenv("OIDC_CLIENT_ID")
+    and os.getenv("OIDC_CLIENT_SECRET")
+    and os.getenv("OIDC_SERVER_URL")
+):
+    SOCIALACCOUNT_PROVIDERS["openid_connect"]["APPS"].append(
+        {
+            "provider_id": slugify(os.getenv("OIDC_CLIENT_NAME", "OpenID Connect")),
+            "name": os.getenv("OIDC_CLIENT_NAME", "OpenID Connect"),
+            "client_id": os.getenv("OIDC_CLIENT_ID"),
+            "secret": os.getenv("OIDC_CLIENT_SECRET"),
+            "settings": {
+                "server_url": os.getenv("OIDC_SERVER_URL"),
+            },
+        }
+    )
+
+ACCOUNT_LOGIN_METHODS = {"email"}
+ACCOUNT_SIGNUP_FIELDS = ["email*", "password1*", "password2*"]
+ACCOUNT_USER_MODEL_USERNAME_FIELD = None
+ACCOUNT_EMAIL_VERIFICATION = "none"
+SOCIALACCOUNT_LOGIN_ON_GET = True
+SOCIALACCOUNT_ONLY = True
+SOCIALACCOUNT_AUTO_SIGNUP = os.getenv("OIDC_ALLOW_SIGNUP", "true").lower() == "true"
+ACCOUNT_ADAPTER = "allauth.account.adapter.DefaultAccountAdapter"
+SOCIALACCOUNT_ADAPTER = "allauth.socialaccount.adapter.DefaultSocialAccountAdapter"

 # CRISPY FORMS
-CRISPY_ALLOWED_TEMPLATE_PACKS = ["bootstrap5", "crispy_forms/pure_text"]
-CRISPY_TEMPLATE_PACK = "bootstrap5"
+CRISPY_ALLOWED_TEMPLATE_PACKS = [
+    "crispy_forms/pure_text",
+    "crispy-daisyui",
+]
+CRISPY_TEMPLATE_PACK = "crispy-daisyui"

 SESSION_EXPIRE_AT_BROWSER_CLOSE = False
 SESSION_COOKIE_AGE = int(os.getenv("SESSION_EXPIRY_TIME", 2678400))  # 31 days
@@ -221,7 +392,7 @@ SESSION_COOKIE_SECURE = os.getenv("HTTPS_ENABLED", "false").lower() == "true"

 DEBUG_TOOLBAR_CONFIG = {
    "ROOT_TAG_EXTRA_ATTRS": "hx-preserve",
-    "SHOW_TOOLBAR_CALLBACK": lambda r: False,  # disables it}
+    # "SHOW_TOOLBAR_CALLBACK": lambda r: False,  # disables it
 }
 DEBUG_TOOLBAR_PANELS = [
    "debug_toolbar.panels.history.HistoryPanel",
@@ -237,7 +408,7 @@ DEBUG_TOOLBAR_PANELS = [
    "debug_toolbar.panels.signals.SignalsPanel",
    "debug_toolbar.panels.redirects.RedirectsPanel",
    "debug_toolbar.panels.profiling.ProfilingPanel",
-    "cachalot.panels.CachalotPanel",
+    # "cachalot.panels.CachalotPanel",
 ]
 INTERNAL_IPS = [
    "127.0.0.1",
@@ -259,9 +430,20 @@ if DEBUG:
 REST_FRAMEWORK = {
    # Use Django's standard `django.contrib.auth` permissions,
    # or allow read-only access for unauthenticated users.
-    "DEFAULT_PERMISSION_CLASSES": ["rest_framework.permissions.DjangoModelPermissions"],
-    "DEFAULT_PAGINATION_CLASS": "rest_framework.pagination.PageNumberPagination",
-    "PAGE_SIZE": 10,
+    "DEFAULT_PERMISSION_CLASSES": [
+        "apps.api.permissions.NotInDemoMode",
+        "rest_framework.permissions.DjangoModelPermissions",
+    ],
+    'DEFAULT_FILTER_BACKENDS': [
+        'django_filters.rest_framework.DjangoFilterBackend',
+        'rest_framework.filters.OrderingFilter',
+    ],
+    'DEFAULT_AUTHENTICATION_CLASSES': [
+        'rest_framework.authentication.BasicAuthentication',
+        'rest_framework.authentication.SessionAuthentication',
+        'rest_framework.authentication.TokenAuthentication',
+    ],
+    "DEFAULT_PAGINATION_CLASS": "apps.api.custom.pagination.CustomPageNumberPagination",
    "DEFAULT_SCHEMA_CLASS": "drf_spectacular.openapi.AutoSchema",
 }

@@ -278,29 +460,32 @@ if "procrastinate" in sys.argv:
        "version": 1,
        "disable_existing_loggers": False,
        "formatters": {
-            "procrastinate": {
-                "format": "%(asctime)s %(levelname)-7s %(name)s %(message)s"
+            "standard": {
+                "format": "[%(asctime)s] - %(levelname)s - %(name)s - %(message)s",
+                "datefmt": "%Y-%m-%d %H:%M:%S",
            },
        },
        "handlers": {
            "procrastinate": {
-                "level": "DEBUG",
+                "level": "INFO",
                "class": "logging.StreamHandler",
-                "formatter": "procrastinate",
+                "formatter": "standard",
            },
            "console": {
                "class": "logging.StreamHandler",
+                "formatter": "standard",
+                "level": "INFO",
            },
        },
        "loggers": {
            "procrastinate": {
                "handlers": ["procrastinate"],
-                "level": "INFO",
                "propagate": False,
            },
            "root": {
                "handlers": ["console"],
                "level": "INFO",
+                "propagate": False,
            },
        },
    }
@@ -309,24 +494,25 @@ else:
        "version": 1,
        "disable_existing_loggers": False,
        "formatters": {
-            "procrastinate": {
-                "format": "%(asctime)s %(levelname)-7s %(name)s %(message)s"
+            "standard": {
+                "format": "[%(asctime)s] - %(levelname)s - %(name)s - %(message)s",
+                "datefmt": "%Y-%m-%d %H:%M:%S",
            },
        },
        "handlers": {
-            "procrastinate": {
-                "level": "DEBUG",
-                "class": "logging.StreamHandler",
-                "formatter": "procrastinate",
-            },
            "console": {
                "class": "logging.StreamHandler",
+                "formatter": "standard",
+                "level": "INFO",
+            },
+            "procrastinate": {
+                "level": "INFO",
+                "class": "logging.StreamHandler",
            },
        },
        "loggers": {
            "procrastinate": {
                "handlers": None,
-                "level": "INFO",
                "propagate": False,
            },
            "root": {
@@ -338,6 +524,8 @@ else:

 CACHALOT_UNCACHABLE_TABLES = ("django_migrations", "procrastinate_jobs")

+# Procrastinate
+PROCRASTINATE_ON_APP_READY = "apps.common.procrastinate.on_app_ready"

 # PWA
 PWA_APP_NAME = SITE_TITLE
@@ -386,4 +574,7 @@ PWA_APP_SCREENSHOTS = [
 PWA_SERVICE_WORKER_PATH = BASE_DIR / "templates" / "pwa" / "serviceworker.js"

 ENABLE_SOFT_DELETE = os.getenv("ENABLE_SOFT_DELETE", "false").lower() == "true"
+CHECK_FOR_UPDATES = os.getenv("CHECK_FOR_UPDATES", "true").lower() == "true"
 KEEP_DELETED_TRANSACTIONS_FOR = int(os.getenv("KEEP_DELETED_ENTRIES_FOR", "365"))
+APP_VERSION = os.getenv("APP_VERSION", "unknown")
+DEMO = os.getenv("DEMO", "false").lower() == "true"
--- a/app/WYGIWYH/urls.py
+++ b/app/WYGIWYH/urls.py
@@ -21,6 +21,8 @@ from drf_spectacular.views import (
    SpectacularAPIView,
    SpectacularSwaggerView,
 )
+from allauth.socialaccount.providers.openid_connect.views import login, callback
+

 urlpatterns = [
    path("admin/", admin.site.urls),
@@ -36,6 +38,13 @@ urlpatterns = [
        SpectacularSwaggerView.as_view(url_name="schema"),
        name="swagger-ui",
    ),
+    path("auth/", include("allauth.urls")),  # allauth urls
+    # path("auth/oidc/<str:provider_id>/login/", login, name="openid_connect_login"),
+    # path(
+    #     "auth/oidc/<str:provider_id>/login/callback/",
+    #     callback,
+    #     name="openid_connect_callback",
+    # ),
    path("", include("apps.transactions.urls")),
    path("", include("apps.common.urls")),
    path("", include("apps.users.urls")),
@@ -49,4 +58,6 @@ urlpatterns = [
    path("", include("apps.dca.urls")),
    path("", include("apps.mini_tools.urls")),
    path("", include("apps.import_app.urls")),
+    path("", include("apps.export_app.urls")),
+    path("", include("apps.insights.urls")),
 ]
--- a/app/apps/accounts/admin.py
+++ b/app/apps/accounts/admin.py
@@ -1,6 +1,14 @@
 from django.contrib import admin

-from apps.accounts.models import Account
+from apps.accounts.models import Account, AccountGroup
+from apps.common.admin import SharedObjectModelAdmin


-admin.site.register(Account)
+@admin.register(Account)
+class AccountModelAdmin(SharedObjectModelAdmin):
+    pass
+
+
+@admin.register(AccountGroup)
+class AccountGroupModelAdmin(SharedObjectModelAdmin):
+    pass
--- a/app/apps/accounts/forms.py
+++ b/app/apps/accounts/forms.py
@@ -1,21 +1,21 @@
-from crispy_bootstrap5.bootstrap5 import Switch
+from apps.accounts.models import Account, AccountGroup
+from apps.common.fields.forms.dynamic_select import (
+    DynamicModelChoiceField,
+    DynamicModelMultipleChoiceField,
+)
+from apps.common.widgets.crispy.daisyui import Switch
+from apps.common.widgets.crispy.submit import NoClassSubmit
+from apps.common.widgets.decimal import ArbitraryDecimalDisplayNumberInput
+from apps.common.widgets.tom_select import TomSelect
+from apps.currencies.models import Currency
+from apps.transactions.models import TransactionCategory, TransactionTag
 from crispy_forms.bootstrap import FormActions
 from crispy_forms.helper import FormHelper
-from crispy_forms.layout import Layout, Field, Column, Row
+from crispy_forms.layout import Column, Field, Layout, Row
 from django import forms
+from django.db.models import Q
 from django.utils.translation import gettext_lazy as _

-from apps.accounts.models import Account
-from apps.accounts.models import AccountGroup
-from apps.common.fields.forms.dynamic_select import (
-    DynamicModelMultipleChoiceField,
-    DynamicModelChoiceField,
-)
-from apps.common.widgets.crispy.submit import NoClassSubmit
-from apps.common.widgets.tom_select import TomSelect
-from apps.transactions.models import TransactionCategory, TransactionTag
-from apps.common.widgets.decimal import ArbitraryDecimalDisplayNumberInput
-

 class AccountGroupForm(forms.ModelForm):
    class Meta:
@@ -36,17 +36,13 @@ class AccountGroupForm(forms.ModelForm):
        if self.instance and self.instance.pk:
            self.helper.layout.append(
                FormActions(
-                    NoClassSubmit(
-                        "submit", _("Update"), css_class="btn btn-outline-primary w-100"
-                    ),
+                    NoClassSubmit("submit", _("Update"), css_class="btn btn-primary"),
                ),
            )
        else:
            self.helper.layout.append(
                FormActions(
-                    NoClassSubmit(
-                        "submit", _("Add"), css_class="btn btn-outline-primary w-100"
-                    ),
+                    NoClassSubmit("submit", _("Add"), css_class="btn btn-primary"),
                ),
            )

@@ -77,6 +73,20 @@ class AccountForm(forms.ModelForm):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

+        self.fields["group"].queryset = AccountGroup.objects.all()
+
+        if self.instance.id:
+            qs = Currency.objects.filter(
+                Q(is_archived=False) | Q(accounts=self.instance.id)
+            ).distinct()
+            self.fields["currency"].queryset = qs
+            self.fields["exchange_currency"].queryset = qs
+
+        else:
+            qs = Currency.objects.filter(Q(is_archived=False))
+            self.fields["currency"].queryset = qs
+            self.fields["exchange_currency"].queryset = qs
+
        self.helper = FormHelper()
        self.helper.form_tag = False
        self.helper.form_method = "post"
@@ -92,17 +102,13 @@ class AccountForm(forms.ModelForm):
        if self.instance and self.instance.pk:
            self.helper.layout.append(
                FormActions(
-                    NoClassSubmit(
-                        "submit", _("Update"), css_class="btn btn-outline-primary w-100"
-                    ),
+                    NoClassSubmit("submit", _("Update"), css_class="btn btn-primary"),
                ),
            )
        else:
            self.helper.layout.append(
                FormActions(
-                    NoClassSubmit(
-                        "submit", _("Add"), css_class="btn btn-outline-primary w-100"
-                    ),
+                    NoClassSubmit("submit", _("Add"), css_class="btn btn-primary"),
                ),
            )

@@ -140,9 +146,8 @@ class AccountBalanceForm(forms.Form):
        self.helper.layout = Layout(
            "new_balance",
            Row(
-                Column("category", css_class="form-group col-md-6 mb-0"),
-                Column("tags", css_class="form-group col-md-6 mb-0"),
-                css_class="form-row",
+                Column("category"),
+                Column("tags"),
            ),
            Field("account_id"),
        )
@@ -151,5 +156,11 @@ class AccountBalanceForm(forms.Form):
            decimal_places=self.currency_decimal_places
        )

+        self.fields["category"].queryset = TransactionCategory.objects.filter(
+            active=True
+        )
+
+        self.fields["tags"].queryset = TransactionTag.objects.filter(active=True)
+

 AccountBalanceFormSet = forms.formset_factory(AccountBalanceForm, extra=0)
--- a/app/apps/accounts/migrations/0009_account_owner_account_shared_with_accountgroup_owner.py
+++ b/app/apps/accounts/migrations/0009_account_owner_account_shared_with_accountgroup_owner.py
@@ -0,0 +1,31 @@
+# Generated by Django 5.1.6 on 2025-03-04 15:07
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0008_alter_account_name'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='account',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='owned_accounts', to=settings.AUTH_USER_MODEL, verbose_name='Owner'),
+        ),
+        migrations.AddField(
+            model_name='account',
+            name='shared_with',
+            field=models.ManyToManyField(blank=True, related_name='shared_accounts', to=settings.AUTH_USER_MODEL, verbose_name='Shared With'),
+        ),
+        migrations.AddField(
+            model_name='accountgroup',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='owned_account_groups', to=settings.AUTH_USER_MODEL, verbose_name='Owner'),
+        ),
+    ]
--- a/app/apps/accounts/migrations/0010_alter_account_managers_alter_accountgroup_managers_and_more.py
+++ b/app/apps/accounts/migrations/0010_alter_account_managers_alter_accountgroup_managers_and_more.py
@@ -0,0 +1,46 @@
+# Generated by Django 5.1.6 on 2025-03-05 02:42
+
+import django.db.models.manager
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0009_account_owner_account_shared_with_accountgroup_owner'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AlterModelManagers(
+            name='account',
+            managers=[
+                ('all_objects', django.db.models.manager.Manager()),
+            ],
+        ),
+        migrations.AlterModelManagers(
+            name='accountgroup',
+            managers=[
+                ('all_objects', django.db.models.manager.Manager()),
+            ],
+        ),
+        migrations.AlterField(
+            model_name='account',
+            name='name',
+            field=models.CharField(max_length=255, verbose_name='Name'),
+        ),
+        migrations.AlterField(
+            model_name='accountgroup',
+            name='name',
+            field=models.CharField(max_length=255, verbose_name='Name'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='account',
+            unique_together={('owner', 'name')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='accountgroup',
+            unique_together={('owner', 'name')},
+        ),
+    ]
--- a/app/apps/accounts/migrations/0011_alter_account_owner_alter_accountgroup_owner.py
+++ b/app/apps/accounts/migrations/0011_alter_account_owner_alter_accountgroup_owner.py
@@ -0,0 +1,26 @@
+# Generated by Django 5.1.6 on 2025-03-05 04:19
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0010_alter_account_managers_alter_accountgroup_managers_and_more'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='account',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='owned_accounts', to=settings.AUTH_USER_MODEL, verbose_name='Owner'),
+        ),
+        migrations.AlterField(
+            model_name='accountgroup',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='owned_account_groups', to=settings.AUTH_USER_MODEL, verbose_name='Owner'),
+        ),
+    ]
--- a/app/apps/accounts/migrations/0012_alter_account_managers_alter_accountgroup_managers_and_more.py
+++ b/app/apps/accounts/migrations/0012_alter_account_managers_alter_accountgroup_managers_and_more.py
@@ -0,0 +1,56 @@
+# Generated by Django 5.1.6 on 2025-03-05 23:46
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0011_alter_account_owner_alter_accountgroup_owner'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AlterModelManagers(
+            name='account',
+            managers=[
+            ],
+        ),
+        migrations.AlterModelManagers(
+            name='accountgroup',
+            managers=[
+            ],
+        ),
+        migrations.AddField(
+            model_name='account',
+            name='visibility',
+            field=models.CharField(choices=[('private', 'Private'), ('shared', 'Shared'), ('public', 'Public')], default='private', max_length=10),
+        ),
+        migrations.AddField(
+            model_name='accountgroup',
+            name='shared_with',
+            field=models.ManyToManyField(blank=True, related_name='%(class)s_shared', to=settings.AUTH_USER_MODEL),
+        ),
+        migrations.AddField(
+            model_name='accountgroup',
+            name='visibility',
+            field=models.CharField(choices=[('private', 'Private'), ('shared', 'Shared'), ('public', 'Public')], default='private', max_length=10),
+        ),
+        migrations.AlterField(
+            model_name='account',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_owned', to=settings.AUTH_USER_MODEL),
+        ),
+        migrations.AlterField(
+            model_name='account',
+            name='shared_with',
+            field=models.ManyToManyField(blank=True, related_name='%(class)s_shared', to=settings.AUTH_USER_MODEL),
+        ),
+        migrations.AlterField(
+            model_name='accountgroup',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_owned', to=settings.AUTH_USER_MODEL),
+        ),
+    ]
--- a/app/apps/accounts/migrations/0013_alter_account_visibility_and_more.py
+++ b/app/apps/accounts/migrations/0013_alter_account_visibility_and_more.py
@@ -0,0 +1,23 @@
+# Generated by Django 5.1.6 on 2025-03-06 01:47
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0012_alter_account_managers_alter_accountgroup_managers_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='account',
+            name='visibility',
+            field=models.CharField(choices=[('private', 'Private'), ('public', 'Public')], default='private', max_length=10),
+        ),
+        migrations.AlterField(
+            model_name='accountgroup',
+            name='visibility',
+            field=models.CharField(choices=[('private', 'Private'), ('public', 'Public')], default='private', max_length=10),
+        ),
+    ]
--- a/app/apps/accounts/migrations/0014_alter_account_options_alter_accountgroup_options.py
+++ b/app/apps/accounts/migrations/0014_alter_account_options_alter_accountgroup_options.py
@@ -0,0 +1,21 @@
+# Generated by Django 5.1.7 on 2025-03-09 21:54
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0013_alter_account_visibility_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='account',
+            options={'ordering': ['name', 'id'], 'verbose_name': 'Account', 'verbose_name_plural': 'Accounts'},
+        ),
+        migrations.AlterModelOptions(
+            name='accountgroup',
+            options={'ordering': ['name', 'id'], 'verbose_name': 'Account Group', 'verbose_name_plural': 'Account Groups'},
+        ),
+    ]
--- a/app/apps/accounts/migrations/0015_alter_account_owner_alter_account_shared_with_and_more.py
+++ b/app/apps/accounts/migrations/0015_alter_account_owner_alter_account_shared_with_and_more.py
@@ -0,0 +1,46 @@
+# Generated by Django 5.2.4 on 2025-07-28 02:15
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0014_alter_account_options_alter_accountgroup_options'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='account',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_owned', to=settings.AUTH_USER_MODEL, verbose_name='Owner'),
+        ),
+        migrations.AlterField(
+            model_name='account',
+            name='shared_with',
+            field=models.ManyToManyField(blank=True, related_name='%(class)s_shared', to=settings.AUTH_USER_MODEL, verbose_name='Shared with users'),
+        ),
+        migrations.AlterField(
+            model_name='account',
+            name='visibility',
+            field=models.CharField(choices=[('private', 'Private'), ('public', 'Public')], default='private', max_length=10, verbose_name='Visibility'),
+        ),
+        migrations.AlterField(
+            model_name='accountgroup',
+            name='owner',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='%(class)s_owned', to=settings.AUTH_USER_MODEL, verbose_name='Owner'),
+        ),
+        migrations.AlterField(
+            model_name='accountgroup',
+            name='shared_with',
+            field=models.ManyToManyField(blank=True, related_name='%(class)s_shared', to=settings.AUTH_USER_MODEL, verbose_name='Shared with users'),
+        ),
+        migrations.AlterField(
+            model_name='accountgroup',
+            name='visibility',
+            field=models.CharField(choices=[('private', 'Private'), ('public', 'Public')], default='private', max_length=10, verbose_name='Visibility'),
+        ),
+    ]
--- a/app/apps/accounts/migrations/0016_account_untracked_by.py
+++ b/app/apps/accounts/migrations/0016_account_untracked_by.py
@@ -0,0 +1,20 @@
+# Generated by Django 5.2.4 on 2025-08-09 05:52
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0015_alter_account_owner_alter_account_shared_with_and_more'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='account',
+            name='untracked_by',
+            field=models.ManyToManyField(blank=True, related_name='untracked_accounts', to=settings.AUTH_USER_MODEL),
+        ),
+    ]
--- a/app/apps/accounts/models.py
+++ b/app/apps/accounts/models.py
@@ -1,24 +1,32 @@
+from django.conf import settings
 from django.core.exceptions import ValidationError
 from django.db import models
 from django.utils.translation import gettext_lazy as _

+from apps.common.middleware.thread_local import get_current_user
+from apps.common.models import SharedObject, SharedObjectManager
 from apps.transactions.models import Transaction


-class AccountGroup(models.Model):
-    name = models.CharField(max_length=255, verbose_name=_("Name"), unique=True)
+class AccountGroup(SharedObject):
+    name = models.CharField(max_length=255, verbose_name=_("Name"))
+
+    objects = SharedObjectManager()
+    all_objects = models.Manager()  # Unfiltered manager

    class Meta:
        verbose_name = _("Account Group")
        verbose_name_plural = _("Account Groups")
        db_table = "account_groups"
+        unique_together = (("owner", "name"),)
+        ordering = ["name", "id"]

    def __str__(self):
        return self.name


-class Account(models.Model):
-    name = models.CharField(max_length=255, verbose_name=_("Name"), unique=True)
+class Account(SharedObject):
+    name = models.CharField(max_length=255, verbose_name=_("Name"))
    group = models.ForeignKey(
        AccountGroup,
        on_delete=models.SET_NULL,
@@ -54,14 +62,28 @@ class Account(models.Model):
        verbose_name=_("Archived"),
        help_text=_("Archived accounts don't show up nor count towards your net worth"),
    )
+    untracked_by = models.ManyToManyField(
+        settings.AUTH_USER_MODEL,
+        blank=True,
+        related_name="untracked_accounts",
+    )
+
+    objects = SharedObjectManager()
+    all_objects = models.Manager()  # Unfiltered manager

    class Meta:
        verbose_name = _("Account")
        verbose_name_plural = _("Accounts")
+        unique_together = (("owner", "name"),)
+        ordering = ["name", "id"]

    def __str__(self):
        return self.name

+    def is_untracked_by(self):
+        user = get_current_user()
+        return self.untracked_by.filter(pk=user.pk).exists()
+
    def clean(self):
        super().clean()
        if self.exchange_currency == self.currency:
--- a/app/apps/accounts/services.py
+++ b/app/apps/accounts/services.py
@@ -0,0 +1,33 @@
+from decimal import Decimal
+
+from django.db import models
+
+from apps.accounts.models import Account
+from apps.transactions.models import Transaction
+
+
+def get_account_balance(account: Account, paid_only: bool = True) -> Decimal:
+    """
+    Calculate account balance (income - expense).
+
+    Args:
+        account: Account instance to calculate balance for.
+        paid_only: If True, only count paid transactions (current balance).
+                   If False, count all transactions (projected balance).
+
+    Returns:
+        Decimal: The calculated balance (income - expense).
+    """
+    filters = {"account": account}
+    if paid_only:
+        filters["is_paid"] = True
+
+    income = Transaction.objects.filter(
+        type=Transaction.Type.INCOME, **filters
+    ).aggregate(total=models.Sum("amount"))["total"] or Decimal("0")
+
+    expense = Transaction.objects.filter(
+        type=Transaction.Type.EXPENSE, **filters
+    ).aggregate(total=models.Sum("amount"))["total"] or Decimal("0")
+
+    return income - expense
--- a/app/apps/accounts/tests.py
+++ b/app/apps/accounts/tests.py
@@ -1,3 +1,5 @@
+from datetime import date
+
 from django.test import TestCase

 from apps.accounts.models import Account, AccountGroup
@@ -39,3 +41,135 @@ class AccountTests(TestCase):
            exchange_currency=self.exchange_currency,
        )
        self.assertEqual(account.exchange_currency, self.exchange_currency)
+
+
+class GetAccountBalanceServiceTests(TestCase):
+    """Tests for the get_account_balance service function"""
+
+    def setUp(self):
+        """Set up test data"""
+        from apps.transactions.models import Transaction
+        self.Transaction = Transaction
+        
+        self.currency = Currency.objects.create(
+            code="BRL", name="Brazilian Real", decimal_places=2, prefix="R$ "
+        )
+        self.account_group = AccountGroup.objects.create(name="Service Test Group")
+        self.account = Account.objects.create(
+            name="Service Test Account", group=self.account_group, currency=self.currency
+        )
+
+    def test_balance_with_no_transactions(self):
+        """Test balance is 0 when no transactions exist"""
+        from apps.accounts.services import get_account_balance
+        from decimal import Decimal
+        
+        balance = get_account_balance(self.account, paid_only=True)
+        self.assertEqual(balance, Decimal("0"))
+
+    def test_current_balance_only_counts_paid(self):
+        """Test current balance only counts paid transactions"""
+        from apps.accounts.services import get_account_balance
+        from decimal import Decimal
+        
+        # Paid income
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.INCOME,
+            amount=Decimal("100.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Paid income",
+        )
+        # Unpaid income (should not count)
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.INCOME,
+            amount=Decimal("50.00"),
+            is_paid=False,
+            date=date(2025, 1, 1),
+            description="Unpaid income",
+        )
+        # Paid expense
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.EXPENSE,
+            amount=Decimal("30.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Paid expense",
+        )
+
+        balance = get_account_balance(self.account, paid_only=True)
+        self.assertEqual(balance, Decimal("70.00"))  # 100 - 30
+
+    def test_projected_balance_counts_all(self):
+        """Test projected balance counts all transactions"""
+        from apps.accounts.services import get_account_balance
+        from decimal import Decimal
+        
+        # Paid income
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.INCOME,
+            amount=Decimal("100.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Paid income",
+        )
+        # Unpaid income
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.INCOME,
+            amount=Decimal("50.00"),
+            is_paid=False,
+            date=date(2025, 1, 1),
+            description="Unpaid income",
+        )
+        # Paid expense
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.EXPENSE,
+            amount=Decimal("30.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Paid expense",
+        )
+        # Unpaid expense
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.EXPENSE,
+            amount=Decimal("20.00"),
+            is_paid=False,
+            date=date(2025, 1, 1),
+            description="Unpaid expense",
+        )
+
+        balance = get_account_balance(self.account, paid_only=False)
+        self.assertEqual(balance, Decimal("100.00"))  # (100 + 50) - (30 + 20)
+
+    def test_balance_defaults_to_paid_only(self):
+        """Test that paid_only defaults to True"""
+        from apps.accounts.services import get_account_balance
+        from decimal import Decimal
+        
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.INCOME,
+            amount=Decimal("100.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Paid",
+        )
+        self.Transaction.objects.create(
+            account=self.account,
+            type=self.Transaction.Type.INCOME,
+            amount=Decimal("50.00"),
+            is_paid=False,
+            date=date(2025, 1, 1),
+            description="Unpaid",
+        )
+
+        balance = get_account_balance(self.account)  # defaults to paid_only=True
+        self.assertEqual(balance, Decimal("100.00"))
+
--- a/app/apps/accounts/urls.py
+++ b/app/apps/accounts/urls.py
@@ -16,11 +16,26 @@ urlpatterns = [
        views.account_edit,
        name="account_edit",
    ),
+    path(
+        "account/<int:pk>/share/",
+        views.account_share,
+        name="account_share_settings",
+    ),
    path(
        "account/<int:pk>/delete/",
        views.account_delete,
        name="account_delete",
    ),
+    path(
+        "account/<int:pk>/take-ownership/",
+        views.account_take_ownership,
+        name="account_take_ownership",
+    ),
+    path(
+        "account/<int:pk>/toggle-untracked/",
+        views.account_toggle_untracked,
+        name="account_toggle_untracked",
+    ),
    path("account-groups/", views.account_groups_index, name="account_groups_index"),
    path("account-groups/list/", views.account_groups_list, name="account_groups_list"),
    path("account-groups/add/", views.account_group_add, name="account_group_add"),
@@ -34,4 +49,14 @@ urlpatterns = [
        views.account_group_delete,
        name="account_group_delete",
    ),
+    path(
+        "account-groups/<int:pk>/take-ownership/",
+        views.account_group_take_ownership,
+        name="account_group_take_ownership",
+    ),
+    path(
+        "account-groups/<int:pk>/share/",
+        views.account_group_share,
+        name="account_group_share_settings",
+    ),
 ]
--- a/app/apps/accounts/views/account_groups.py
+++ b/app/apps/accounts/views/account_groups.py
@@ -8,6 +8,8 @@ from django.views.decorators.http import require_http_methods
 from apps.accounts.forms import AccountGroupForm
 from apps.accounts.models import AccountGroup
 from apps.common.decorators.htmx import only_htmx
+from apps.common.models import SharedObject
+from apps.common.forms import SharedObjectForm


@login_required
@@ -23,7 +25,7 @@ def account_groups_index(request):
@login_required
@require_http_methods(["GET"])
 def account_groups_list(request):
-    account_groups = AccountGroup.objects.all().order_by("id")
+    account_groups = AccountGroup.objects.all().order_by("name")
    return render(
        request,
        "account_groups/fragments/list.html",
@@ -63,6 +65,16 @@ def account_group_add(request, **kwargs):
 def account_group_edit(request, pk):
    account_group = get_object_or_404(AccountGroup, id=pk)

+    if account_group.owner and account_group.owner != request.user:
+        messages.error(request, _("Only the owner can edit this"))
+
+        return HttpResponse(
+            status=204,
+            headers={
+                "HX-Trigger": "updated, hide_offcanvas",
+            },
+        )
+
    if request.method == "POST":
        form = AccountGroupForm(request.POST, instance=account_group)
        if form.is_valid():
@@ -91,9 +103,15 @@ def account_group_edit(request, pk):
 def account_group_delete(request, pk):
    account_group = get_object_or_404(AccountGroup, id=pk)

-    account_group.delete()
-
-    messages.success(request, _("Account Group deleted successfully"))
+    if (
+        account_group.owner != request.user
+        and request.user in account_group.shared_with.all()
+    ):
+        account_group.shared_with.remove(request.user)
+        messages.success(request, _("Item no longer shared with you"))
+    else:
+        account_group.delete()
+        messages.success(request, _("Account Group deleted successfully"))

    return HttpResponse(
        status=204,
@@ -101,3 +119,62 @@ def account_group_delete(request, pk):
            "HX-Trigger": "updated, hide_offcanvas",
        },
    )
+
+
+@only_htmx
+@login_required
+@require_http_methods(["GET"])
+def account_group_take_ownership(request, pk):
+    account_group = get_object_or_404(AccountGroup, id=pk)
+
+    if not account_group.owner:
+        account_group.owner = request.user
+        account_group.visibility = SharedObject.Visibility.private
+        account_group.save()
+
+        messages.success(request, _("Ownership taken successfully"))
+
+    return HttpResponse(
+        status=204,
+        headers={
+            "HX-Trigger": "updated, hide_offcanvas",
+        },
+    )
+
+
+@only_htmx
+@login_required
+@require_http_methods(["GET", "POST"])
+def account_group_share(request, pk):
+    obj = get_object_or_404(AccountGroup, id=pk)
+
+    if obj.owner and obj.owner != request.user:
+        messages.error(request, _("Only the owner can edit this"))
+
+        return HttpResponse(
+            status=204,
+            headers={
+                "HX-Trigger": "updated, hide_offcanvas",
+            },
+        )
+
+    if request.method == "POST":
+        form = SharedObjectForm(request.POST, instance=obj, user=request.user)
+        if form.is_valid():
+            form.save()
+            messages.success(request, _("Configuration saved successfully"))
+
+            return HttpResponse(
+                status=204,
+                headers={
+                    "HX-Trigger": "updated, hide_offcanvas",
+                },
+            )
+    else:
+        form = SharedObjectForm(instance=obj, user=request.user)
+
+    return render(
+        request,
+        "accounts/fragments/share.html",
+        {"form": form, "object": obj},
+    )
--- a/app/apps/accounts/views/accounts.py
+++ b/app/apps/accounts/views/accounts.py
@@ -8,6 +8,8 @@ from django.views.decorators.http import require_http_methods
 from apps.accounts.forms import AccountForm
 from apps.accounts.models import Account
 from apps.common.decorators.htmx import only_htmx
+from apps.common.models import SharedObject
+from apps.common.forms import SharedObjectForm


@login_required
@@ -23,7 +25,7 @@ def accounts_index(request):
@login_required
@require_http_methods(["GET"])
 def accounts_list(request):
-    accounts = Account.objects.all().order_by("id")
+    accounts = Account.objects.all().order_by("name")
    return render(
        request,
        "accounts/fragments/list.html",
@@ -62,6 +64,15 @@ def account_add(request, **kwargs):
@require_http_methods(["GET", "POST"])
 def account_edit(request, pk):
    account = get_object_or_404(Account, id=pk)
+    if account.owner and account.owner != request.user:
+        messages.error(request, _("Only the owner can edit this"))
+
+        return HttpResponse(
+            status=204,
+            headers={
+                "HX-Trigger": "updated, hide_offcanvas",
+            },
+        )

    if request.method == "POST":
        form = AccountForm(request.POST, instance=account)
@@ -85,15 +96,97 @@ def account_edit(request, pk):
    )


+@only_htmx
+@login_required
+@require_http_methods(["GET", "POST"])
+def account_share(request, pk):
+    obj = get_object_or_404(Account, id=pk)
+
+    if obj.owner and obj.owner != request.user:
+        messages.error(request, _("Only the owner can edit this"))
+
+        return HttpResponse(
+            status=204,
+            headers={
+                "HX-Trigger": "updated, hide_offcanvas",
+            },
+        )
+
+    if request.method == "POST":
+        form = SharedObjectForm(request.POST, instance=obj, user=request.user)
+        if form.is_valid():
+            form.save()
+            messages.success(request, _("Configuration saved successfully"))
+
+            return HttpResponse(
+                status=204,
+                headers={
+                    "HX-Trigger": "updated, hide_offcanvas",
+                },
+            )
+    else:
+        form = SharedObjectForm(instance=obj, user=request.user)
+
+    return render(
+        request,
+        "accounts/fragments/share.html",
+        {"form": form, "object": obj},
+    )
+
+
@only_htmx
@login_required
@require_http_methods(["DELETE"])
 def account_delete(request, pk):
    account = get_object_or_404(Account, id=pk)

-    account.delete()
-
-    messages.success(request, _("Account deleted successfully"))
+    if account.owner != request.user and request.user in account.shared_with.all():
+        account.shared_with.remove(request.user)
+        messages.success(request, _("Item no longer shared with you"))
+    else:
+        account.delete()
+        messages.success(request, _("Account deleted successfully"))
+
+    return HttpResponse(
+        status=204,
+        headers={
+            "HX-Trigger": "updated, hide_offcanvas",
+        },
+    )
+
+
+@only_htmx
+@login_required
+@require_http_methods(["GET"])
+def account_toggle_untracked(request, pk):
+    account = get_object_or_404(Account, id=pk)
+    if account.is_untracked_by():
+        account.untracked_by.remove(request.user)
+        messages.success(request, _("Account is now tracked"))
+    else:
+        account.untracked_by.add(request.user)
+        messages.success(request, _("Account is now untracked"))
+
+    return HttpResponse(
+        status=204,
+        headers={
+            "HX-Trigger": "updated",
+        },
+    )
+
+
+@only_htmx
+@login_required
+@require_http_methods(["GET"])
+def account_take_ownership(request, pk):
+    account = get_object_or_404(Account, id=pk)
+
+    if not account.owner:
+        account.owner = request.user
+        account.visibility = SharedObject.Visibility.private
+        account.save()
+
+        messages.success(request, _("Ownership taken successfully"))

    return HttpResponse(
        status=204,
--- a/app/apps/accounts/views/balance.py
+++ b/app/apps/accounts/views/balance.py
@@ -11,23 +11,13 @@ from django.utils.translation import gettext_lazy as _

 from apps.accounts.forms import AccountBalanceFormSet
 from apps.accounts.models import Account, Transaction
+from apps.accounts.services import get_account_balance
 from apps.common.decorators.htmx import only_htmx


@only_htmx
@login_required
 def account_reconciliation(request):
-    def get_account_balance(account):
-        income = Transaction.objects.filter(
-            account=account, type=Transaction.Type.INCOME, is_paid=True
-        ).aggregate(total=models.Sum("amount"))["total"] or Decimal("0")
-
-        expense = Transaction.objects.filter(
-            account=account, type=Transaction.Type.EXPENSE, is_paid=True
-        ).aggregate(total=models.Sum("amount"))["total"] or Decimal("0")
-
-        return income - expense
-
    initial_data = [
        {
            "account_id": account.id,
@@ -38,9 +28,9 @@ def account_reconciliation(request):
            "prefix": account.currency.prefix,
            "current_balance": get_account_balance(account),
        }
-        for account in Account.objects.filter(is_archived=False).select_related(
-            "currency", "group"
-        )
+        for account in Account.objects.filter(is_archived=False)
+        .select_related("currency", "group")
+        .order_by("group", "name")
    ]

    if request.method == "POST":
--- a/frontend/assets/images/.gitkeep
+++ b/frontend/assets/images/.gitkeep
--- a/app/apps/api/custom/pagination.py
+++ b/app/apps/api/custom/pagination.py
@@ -0,0 +1,6 @@
+from rest_framework.pagination import PageNumberPagination
+
+
+class CustomPageNumberPagination(PageNumberPagination):
+    page_size = 100
+    page_size_query_param = "page_size"
--- a/app/apps/api/fields/transactions.py
+++ b/app/apps/api/fields/transactions.py
@@ -1,8 +1,6 @@
-from drf_spectacular.types import OpenApiTypes
 from drf_spectacular.utils import extend_schema_field
 from rest_framework import serializers
 from django.utils.translation import gettext_lazy as _
-
 from apps.transactions.models import (
    TransactionCategory,
    TransactionTag,
@@ -12,15 +10,19 @@ from apps.transactions.models import (

@extend_schema_field(
    {
-        "oneOf": [{"type": "string"}, {"type": "integer"}],
-        "description": "TransactionCategory ID or name. If the name doesn't exist, a new one will be created",
+        "oneOf": [{"type": "string"}, {"type": "integer"}, {"type": "null"}],
+        "description": "TransactionCategory ID or name. If the name doesn't exist, a new one will be created. Can be null if no category is assigned.",
    }
 )
 class TransactionCategoryField(serializers.Field):
    def to_representation(self, value):
+        if value is None:
+            return None
        return {"id": value.id, "name": value.name}

    def to_internal_value(self, data):
+        if data is None:
+            return None
        if isinstance(data, int):
            try:
                return TransactionCategory.objects.get(pk=data)
@@ -29,7 +31,11 @@ class TransactionCategoryField(serializers.Field):
                    _("Category with this ID does not exist.")
                )
        elif isinstance(data, str):
-            category, created = TransactionCategory.objects.get_or_create(name=data)
+            try:
+                category = TransactionCategory.objects.get(name=data)
+            except TransactionCategory.DoesNotExist:
+                category = TransactionCategory(name=data)
+                category.save()
            return category
        raise serializers.ValidationError(
            _("Invalid category data. Provide an ID or name.")
@@ -39,7 +45,10 @@ class TransactionCategoryField(serializers.Field):
    def get_schema():
        return {
            "type": "array",
-            "items": {"type": "string", "description": "TransactionTag ID or name"},
+            "items": {
+                "type": "string",
+                "description": "TransactionCategory ID or name",
+            },
        }


@@ -65,7 +74,11 @@ class TransactionTagField(serializers.Field):
                        _("Tag with this ID does not exist.")
                    )
            elif isinstance(item, str):
-                tag, created = TransactionTag.objects.get_or_create(name=item)
+                try:
+                    tag = TransactionTag.objects.get(name=item)
+                except TransactionTag.DoesNotExist:
+                    tag = TransactionTag(name=item)
+                    tag.save()
            else:
                raise serializers.ValidationError(
                    _("Invalid tag data. Provide an ID or name.")
@@ -74,6 +87,13 @@ class TransactionTagField(serializers.Field):
        return tags


+@extend_schema_field(
+    {
+        "type": "array",
+        "items": {"oneOf": [{"type": "string"}, {"type": "integer"}]},
+        "description": "TransactionEntity ID or name. If the name doesn't exist, a new one will be created",
+    }
+)
 class TransactionEntityField(serializers.Field):
    def to_representation(self, value):
        return [{"id": entity.id, "name": entity.name} for entity in value.all()]
@@ -84,12 +104,16 @@ class TransactionEntityField(serializers.Field):
            if isinstance(item, int):
                try:
                    entity = TransactionEntity.objects.get(pk=item)
-                except TransactionTag.DoesNotExist:
+                except TransactionEntity.DoesNotExist:
                    raise serializers.ValidationError(
                        _("Entity with this ID does not exist.")
                    )
            elif isinstance(item, str):
-                entity, created = TransactionEntity.objects.get_or_create(name=item)
+                try:
+                    entity = TransactionEntity.objects.get(name=item)
+                except TransactionEntity.DoesNotExist:
+                    entity = TransactionEntity(name=item)
+                    entity.save()
            else:
                raise serializers.ValidationError(
                    _("Invalid entity data. Provide an ID or name.")
--- a/app/apps/api/permissions.py
+++ b/app/apps/api/permissions.py
@@ -0,0 +1,10 @@
+from rest_framework.permissions import BasePermission
+from django.conf import settings
+
+
+class NotInDemoMode(BasePermission):
+    def has_permission(self, request, view):
+        if settings.DEMO and not request.user.is_superuser:
+            return False
+        else:
+            return True
--- a/app/apps/api/serializers/init.py
+++ b/app/apps/api/serializers/init.py
@@ -2,3 +2,5 @@ from .transactions import *
 from .accounts import *
 from .currencies import *
 from .dca import *
+from .imports import *
+
--- a/app/apps/api/serializers/accounts.py
+++ b/app/apps/api/serializers/accounts.py
@@ -1,3 +1,4 @@
+from django.db.models import Q
 from rest_framework import serializers
 from rest_framework.permissions import IsAuthenticated

@@ -22,6 +23,7 @@ class AccountSerializer(serializers.ModelSerializer):
        write_only=True,
        allow_null=True,
    )
+
    currency = CurrencySerializer(read_only=True)
    currency_id = serializers.PrimaryKeyRelatedField(
        queryset=Currency.objects.all(), source="currency", write_only=True
@@ -50,6 +52,13 @@ class AccountSerializer(serializers.ModelSerializer):
            "is_asset",
        ]

+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        request = self.context.get("request")
+        if request and request.user.is_authenticated:
+            # Reload the queryset to get an updated version with the requesting user
+            self.fields["group_id"].queryset = AccountGroup.objects.all()
+
    def create(self, validated_data):
        return Account.objects.create(**validated_data)

@@ -58,3 +67,12 @@ class AccountSerializer(serializers.ModelSerializer):
            setattr(instance, attr, value)
        instance.save()
        return instance
+
+
+class AccountBalanceSerializer(serializers.Serializer):
+    """Serializer for account balance response."""
+
+    current_balance = serializers.DecimalField(max_digits=20, decimal_places=10)
+    projected_balance = serializers.DecimalField(max_digits=20, decimal_places=10)
+    currency = CurrencySerializer()
+
--- a/app/apps/api/serializers/imports.py
+++ b/app/apps/api/serializers/imports.py
@@ -0,0 +1,41 @@
+from rest_framework import serializers
+
+from apps.import_app.models import ImportProfile, ImportRun
+
+
+class ImportProfileSerializer(serializers.ModelSerializer):
+    """Serializer for listing import profiles."""
+
+    class Meta:
+        model = ImportProfile
+        fields = ["id", "name", "version", "yaml_config"]
+
+
+class ImportRunSerializer(serializers.ModelSerializer):
+    """Serializer for listing import runs."""
+
+    class Meta:
+        model = ImportRun
+        fields = [
+            "id",
+            "status",
+            "profile",
+            "file_name",
+            "logs",
+            "processed_rows",
+            "total_rows",
+            "successful_rows",
+            "skipped_rows",
+            "failed_rows",
+            "started_at",
+            "finished_at",
+        ]
+
+
+class ImportFileSerializer(serializers.Serializer):
+    """Serializer for uploading a file to import using an existing profile."""
+
+    profile_id = serializers.PrimaryKeyRelatedField(
+        queryset=ImportProfile.objects.all(), source="profile"
+    )
+    file = serializers.FileField()
--- a/app/apps/api/serializers/transactions.py
+++ b/app/apps/api/serializers/transactions.py
@@ -1,3 +1,5 @@
+from decimal import Decimal
+
 from django.utils.translation import gettext_lazy as _
 from drf_spectacular import openapi
 from drf_spectacular.types import OpenApiTypes
@@ -21,6 +23,7 @@ from apps.transactions.models import (
    TransactionEntity,
    RecurringTransaction,
 )
+from apps.common.middleware.thread_local import get_current_user


 class TransactionCategorySerializer(serializers.ModelSerializer):
@@ -29,6 +32,10 @@ class TransactionCategorySerializer(serializers.ModelSerializer):
    class Meta:
        model = TransactionCategory
        fields = "__all__"
+        read_only_fields = [
+            "id",
+            "owner",
+        ]


 class TransactionTagSerializer(serializers.ModelSerializer):
@@ -37,6 +44,10 @@ class TransactionTagSerializer(serializers.ModelSerializer):
    class Meta:
        model = TransactionTag
        fields = "__all__"
+        read_only_fields = [
+            "id",
+            "owner",
+        ]


 class TransactionEntitySerializer(serializers.ModelSerializer):
@@ -45,12 +56,16 @@ class TransactionEntitySerializer(serializers.ModelSerializer):
    class Meta:
        model = TransactionEntity
        fields = "__all__"
+        read_only_fields = [
+            "id",
+            "owner",
+        ]


 class InstallmentPlanSerializer(serializers.ModelSerializer):
-    category = TransactionCategoryField(required=False)
-    tags = TransactionTagField(required=False)
-    entities = TransactionEntityField(required=False)
+    category: str | int = TransactionCategoryField(required=False)
+    tags: str | int = TransactionTagField(required=False)
+    entities: str | int = TransactionEntityField(required=False)

    permission_classes = [IsAuthenticated]

@@ -88,9 +103,9 @@ class InstallmentPlanSerializer(serializers.ModelSerializer):


 class RecurringTransactionSerializer(serializers.ModelSerializer):
-    category = TransactionCategoryField(required=False)
-    tags = TransactionTagField(required=False)
-    entities = TransactionEntityField(required=False)
+    category: str | int = TransactionCategoryField(required=False)
+    tags: str | int = TransactionTagField(required=False)
+    entities: str | int = TransactionEntityField(required=False)

    class Meta:
        model = RecurringTransaction
@@ -123,13 +138,14 @@ class RecurringTransactionSerializer(serializers.ModelSerializer):
    def update(self, instance, validated_data):
        instance = super().update(instance, validated_data)
        instance.update_unpaid_transactions()
+        instance.generate_upcoming_transactions()
        return instance


 class TransactionSerializer(serializers.ModelSerializer):
-    category = TransactionCategoryField(required=False)
-    tags = TransactionTagField(required=False)
-    entities = TransactionEntityField(required=False)
+    category: str | int = TransactionCategoryField(required=False)
+    tags: str | int = TransactionTagField(required=False)
+    entities: str | int = TransactionEntityField(required=False)

    exchanged_amount = serializers.SerializerMethodField()

@@ -155,8 +171,16 @@ class TransactionSerializer(serializers.ModelSerializer):
            "installment_plan",
            "recurring_transaction",
            "installment_id",
+            "owner",
+            "deleted_at",
+            "deleted",
        ]

+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        self.fields["account_id"].queryset = Account.objects.all()
+
    def validate(self, data):
        if not self.partial:
            if "date" in data and "reference_date" not in data:
@@ -192,5 +216,5 @@ class TransactionSerializer(serializers.ModelSerializer):
        return instance

    @staticmethod
-    def get_exchanged_amount(obj):
+    def get_exchanged_amount(obj) -> Decimal:
        return obj.exchanged_amount()
--- a/app/apps/api/tests/init.py
+++ b/app/apps/api/tests/init.py
@@ -0,0 +1,5 @@
+# Import all test classes for Django test discovery
+from .test_imports import *
+from .test_accounts import *
+from .test_data_isolation import *
+from .test_shared_access import *
--- a/app/apps/api/tests/test_accounts.py
+++ b/app/apps/api/tests/test_accounts.py
@@ -0,0 +1,99 @@
+from datetime import date
+from decimal import Decimal
+
+from django.contrib.auth import get_user_model
+from django.test import TestCase, override_settings
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from apps.accounts.models import Account, AccountGroup
+from apps.currencies.models import Currency
+from apps.transactions.models import Transaction
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class AccountBalanceAPITests(TestCase):
+    """Tests for the Account Balance API endpoint"""
+
+    def setUp(self):
+        """Set up test data"""
+        User = get_user_model()
+        self.user = User.objects.create_user(
+            email="testuser@test.com", password="testpass123"
+        )
+        self.client = APIClient()
+        self.client.force_authenticate(user=self.user)
+
+        self.currency = Currency.objects.create(
+            code="USD", name="US Dollar", decimal_places=2, prefix="$ "
+        )
+        self.account_group = AccountGroup.objects.create(name="Test Group")
+        self.account = Account.objects.create(
+            name="Test Account", group=self.account_group, currency=self.currency
+        )
+
+        # Create some transactions
+        Transaction.objects.create(
+            account=self.account,
+            type=Transaction.Type.INCOME,
+            amount=Decimal("500.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Paid income",
+        )
+        Transaction.objects.create(
+            account=self.account,
+            type=Transaction.Type.INCOME,
+            amount=Decimal("200.00"),
+            is_paid=False,
+            date=date(2025, 1, 15),
+            description="Unpaid income",
+        )
+        Transaction.objects.create(
+            account=self.account,
+            type=Transaction.Type.EXPENSE,
+            amount=Decimal("100.00"),
+            is_paid=True,
+            date=date(2025, 1, 10),
+            description="Paid expense",
+        )
+
+    def test_get_balance_success(self):
+        """Test successful balance retrieval"""
+        response = self.client.get(f"/api/accounts/{self.account.id}/balance/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertIn("current_balance", response.data)
+        self.assertIn("projected_balance", response.data)
+        self.assertIn("currency", response.data)
+
+        # Current: 500 - 100 = 400
+        self.assertEqual(Decimal(response.data["current_balance"]), Decimal("400.00"))
+        # Projected: (500 + 200) - 100 = 600
+        self.assertEqual(Decimal(response.data["projected_balance"]), Decimal("600.00"))
+
+        # Check currency data
+        self.assertEqual(response.data["currency"]["code"], "USD")
+
+    def test_get_balance_nonexistent_account(self):
+        """Test balance for non-existent account returns 404"""
+        response = self.client.get("/api/accounts/99999/balance/")
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+    def test_get_balance_unauthenticated(self):
+        """Test unauthenticated request returns 403"""
+        unauthenticated_client = APIClient()
+        response = unauthenticated_client.get(
+            f"/api/accounts/{self.account.id}/balance/"
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
--- a/app/apps/api/tests/test_data_isolation.py
+++ b/app/apps/api/tests/test_data_isolation.py
@@ -0,0 +1,719 @@
+from datetime import date
+from decimal import Decimal
+
+from django.contrib.auth import get_user_model
+from django.test import TestCase, override_settings
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from apps.accounts.models import Account, AccountGroup
+from apps.currencies.models import Currency
+from apps.dca.models import DCAStrategy, DCAEntry
+from apps.transactions.models import (
+    Transaction,
+    TransactionCategory,
+    TransactionTag,
+    TransactionEntity,
+    InstallmentPlan,
+    RecurringTransaction,
+)
+
+
+ACCESS_DENIED_CODES = [status.HTTP_403_FORBIDDEN, status.HTTP_404_NOT_FOUND]
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class AccountDataIsolationTests(TestCase):
+    """Tests to ensure users cannot access other users' accounts."""
+
+    def setUp(self):
+        """Set up test data with two distinct users."""
+        User = get_user_model()
+
+        # User 1 - the requester
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        # User 2 - owner of data that user1 should NOT access
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+        self.client2 = APIClient()
+        self.client2.force_authenticate(user=self.user2)
+
+        # Shared currency
+        self.currency = Currency.objects.create(
+            code="USD", name="US Dollar", decimal_places=2, prefix="$ "
+        )
+
+        # User 1's account
+        self.user1_account_group = AccountGroup.all_objects.create(
+            name="User1 Group", owner=self.user1
+        )
+        self.user1_account = Account.all_objects.create(
+            name="User1 Account",
+            group=self.user1_account_group,
+            currency=self.currency,
+            owner=self.user1,
+        )
+
+        # User 2's account (private, should be invisible to user1)
+        self.user2_account_group = AccountGroup.all_objects.create(
+            name="User2 Group", owner=self.user2
+        )
+        self.user2_account = Account.all_objects.create(
+            name="User2 Account",
+            group=self.user2_account_group,
+            currency=self.currency,
+            owner=self.user2,
+        )
+
+    def test_user_cannot_see_other_users_accounts_in_list(self):
+        """GET /api/accounts/ should only return user's own accounts."""
+        response = self.client1.get("/api/accounts/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        # User1 should only see their own account
+        account_ids = [acc["id"] for acc in response.data["results"]]
+        self.assertIn(self.user1_account.id, account_ids)
+        self.assertNotIn(self.user2_account.id, account_ids)
+
+    def test_user_cannot_access_other_users_account_detail(self):
+        """GET /api/accounts/{id}/ should deny access to other user's account."""
+        response = self.client1.get(f"/api/accounts/{self.user2_account.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_modify_other_users_account(self):
+        """PATCH on other user's account should deny access."""
+        response = self.client1.patch(
+            f"/api/accounts/{self.user2_account.id}/",
+            {"name": "Hacked Account"},
+        )
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        # Verify account name wasn't changed
+        self.user2_account.refresh_from_db()
+        self.assertEqual(self.user2_account.name, "User2 Account")
+
+    def test_user_cannot_delete_other_users_account(self):
+        """DELETE on other user's account should deny access."""
+        response = self.client1.delete(f"/api/accounts/{self.user2_account.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        # Verify account still exists
+        self.assertTrue(Account.all_objects.filter(id=self.user2_account.id).exists())
+
+    def test_user_cannot_get_balance_of_other_users_account(self):
+        """Balance action on other user's account should deny access."""
+        response = self.client1.get(f"/api/accounts/{self.user2_account.id}/balance/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_can_access_own_account(self):
+        """User can access their own account normally."""
+        response = self.client1.get(f"/api/accounts/{self.user1_account.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["name"], "User1 Account")
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class AccountGroupDataIsolationTests(TestCase):
+    """Tests to ensure users cannot access other users' account groups."""
+
+    def setUp(self):
+        """Set up test data with two distinct users."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+
+        # User 1's account group
+        self.user1_group = AccountGroup.all_objects.create(
+            name="User1 Group", owner=self.user1
+        )
+
+        # User 2's account group
+        self.user2_group = AccountGroup.all_objects.create(
+            name="User2 Group", owner=self.user2
+        )
+
+    def test_user_cannot_see_other_users_account_groups(self):
+        """GET /api/account-groups/ should only return user's own groups."""
+        response = self.client1.get("/api/account-groups/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        group_ids = [grp["id"] for grp in response.data["results"]]
+        self.assertIn(self.user1_group.id, group_ids)
+        self.assertNotIn(self.user2_group.id, group_ids)
+
+    def test_user_cannot_access_other_users_account_group_detail(self):
+        """GET /api/account-groups/{id}/ should deny access to other user's group."""
+        response = self.client1.get(f"/api/account-groups/{self.user2_group.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_modify_other_users_account_group(self):
+        """PATCH on other user's account group should deny access."""
+        response = self.client1.patch(
+            f"/api/account-groups/{self.user2_group.id}/",
+            {"name": "Hacked Group"},
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        self.user2_group.refresh_from_db()
+        self.assertEqual(self.user2_group.name, "User2 Group")
+
+    def test_user_cannot_delete_other_users_account_group(self):
+        """DELETE on other user's account group should deny access."""
+        response = self.client1.delete(f"/api/account-groups/{self.user2_group.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        self.assertTrue(
+            AccountGroup.all_objects.filter(id=self.user2_group.id).exists()
+        )
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class TransactionDataIsolationTests(TestCase):
+    """Tests to ensure users cannot access other users' transactions."""
+
+    def setUp(self):
+        """Set up test data with transactions for two distinct users."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+
+        self.currency = Currency.objects.create(
+            code="USD", name="US Dollar", decimal_places=2, prefix="$ "
+        )
+
+        # User 1's account and transaction
+        self.user1_account = Account.all_objects.create(
+            name="User1 Account", currency=self.currency, owner=self.user1
+        )
+        self.user1_transaction = Transaction.userless_all_objects.create(
+            account=self.user1_account,
+            type=Transaction.Type.INCOME,
+            amount=Decimal("100.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="User1 Income",
+            owner=self.user1,
+        )
+
+        # User 2's account and transaction
+        self.user2_account = Account.all_objects.create(
+            name="User2 Account", currency=self.currency, owner=self.user2
+        )
+        self.user2_transaction = Transaction.userless_all_objects.create(
+            account=self.user2_account,
+            type=Transaction.Type.EXPENSE,
+            amount=Decimal("50.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="User2 Expense",
+            owner=self.user2,
+        )
+
+    def test_user_cannot_see_other_users_transactions_in_list(self):
+        """GET /api/transactions/ should only return user's own transactions."""
+        response = self.client1.get("/api/transactions/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        transaction_ids = [t["id"] for t in response.data["results"]]
+        self.assertIn(self.user1_transaction.id, transaction_ids)
+        self.assertNotIn(self.user2_transaction.id, transaction_ids)
+
+    def test_user_cannot_access_other_users_transaction_detail(self):
+        """GET /api/transactions/{id}/ should deny access to other user's transaction."""
+        response = self.client1.get(f"/api/transactions/{self.user2_transaction.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_modify_other_users_transaction(self):
+        """PATCH on other user's transaction should deny access."""
+        response = self.client1.patch(
+            f"/api/transactions/{self.user2_transaction.id}/",
+            {"description": "Hacked Transaction"},
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        self.user2_transaction.refresh_from_db()
+        self.assertEqual(self.user2_transaction.description, "User2 Expense")
+
+    def test_user_cannot_delete_other_users_transaction(self):
+        """DELETE on other user's transaction should deny access."""
+        response = self.client1.delete(
+            f"/api/transactions/{self.user2_transaction.id}/"
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        self.assertTrue(
+            Transaction.userless_all_objects.filter(
+                id=self.user2_transaction.id
+            ).exists()
+        )
+
+    def test_user_cannot_create_transaction_in_other_users_account(self):
+        """POST /api/transactions/ with other user's account should fail."""
+        response = self.client1.post(
+            "/api/transactions/",
+            {
+                "account": self.user2_account.id,
+                "type": "IN",
+                "amount": "100.00",
+                "date": "2025-01-15",
+                "description": "Sneaky transaction",
+            },
+            format="json",
+        )
+
+        # Should deny access - 400 (validation error), 403, or 404
+        self.assertIn(
+            response.status_code,
+            ACCESS_DENIED_CODES + [status.HTTP_400_BAD_REQUEST],
+        )
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class CategoryTagEntityIsolationTests(TestCase):
+    """Tests for isolation of categories, tags, and entities between users."""
+
+    def setUp(self):
+        """Set up test data."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+
+        # User 1's categories, tags, entities
+        self.user1_category = TransactionCategory.all_objects.create(
+            name="User1 Category", owner=self.user1
+        )
+        self.user1_tag = TransactionTag.all_objects.create(
+            name="User1 Tag", owner=self.user1
+        )
+        self.user1_entity = TransactionEntity.all_objects.create(
+            name="User1 Entity", owner=self.user1
+        )
+
+        # User 2's categories, tags, entities
+        self.user2_category = TransactionCategory.all_objects.create(
+            name="User2 Category", owner=self.user2
+        )
+        self.user2_tag = TransactionTag.all_objects.create(
+            name="User2 Tag", owner=self.user2
+        )
+        self.user2_entity = TransactionEntity.all_objects.create(
+            name="User2 Entity", owner=self.user2
+        )
+
+    def test_user_cannot_see_other_users_categories(self):
+        """GET /api/categories/ should only return user's own categories."""
+        response = self.client1.get("/api/categories/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        category_ids = [c["id"] for c in response.data["results"]]
+        self.assertIn(self.user1_category.id, category_ids)
+        self.assertNotIn(self.user2_category.id, category_ids)
+
+    def test_user_cannot_access_other_users_category_detail(self):
+        """GET /api/categories/{id}/ should deny access to other user's category."""
+        response = self.client1.get(f"/api/categories/{self.user2_category.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_see_other_users_tags(self):
+        """GET /api/tags/ should only return user's own tags."""
+        response = self.client1.get("/api/tags/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        tag_ids = [t["id"] for t in response.data["results"]]
+        self.assertIn(self.user1_tag.id, tag_ids)
+        self.assertNotIn(self.user2_tag.id, tag_ids)
+
+    def test_user_cannot_access_other_users_tag_detail(self):
+        """GET /api/tags/{id}/ should deny access to other user's tag."""
+        response = self.client1.get(f"/api/tags/{self.user2_tag.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_see_other_users_entities(self):
+        """GET /api/entities/ should only return user's own entities."""
+        response = self.client1.get("/api/entities/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        entity_ids = [e["id"] for e in response.data["results"]]
+        self.assertIn(self.user1_entity.id, entity_ids)
+        self.assertNotIn(self.user2_entity.id, entity_ids)
+
+    def test_user_cannot_access_other_users_entity_detail(self):
+        """GET /api/entities/{id}/ should deny access to other user's entity."""
+        response = self.client1.get(f"/api/entities/{self.user2_entity.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_modify_other_users_category(self):
+        """PATCH on other user's category should deny access."""
+        response = self.client1.patch(
+            f"/api/categories/{self.user2_category.id}/",
+            {"name": "Hacked Category"},
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_delete_other_users_tag(self):
+        """DELETE on other user's tag should deny access."""
+        response = self.client1.delete(f"/api/tags/{self.user2_tag.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        self.assertTrue(
+            TransactionTag.all_objects.filter(id=self.user2_tag.id).exists()
+        )
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class DCADataIsolationTests(TestCase):
+    """Tests to ensure users cannot access other users' DCA strategies and entries."""
+
+    def setUp(self):
+        """Set up test data."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+
+        self.currency1 = Currency.objects.create(
+            code="BTC", name="Bitcoin", decimal_places=8, prefix=""
+        )
+        self.currency2 = Currency.objects.create(
+            code="USD", name="US Dollar", decimal_places=2, prefix="$ "
+        )
+
+        # User 1's DCA strategy and entry
+        self.user1_strategy = DCAStrategy.all_objects.create(
+            name="User1 BTC Strategy",
+            target_currency=self.currency1,
+            payment_currency=self.currency2,
+            owner=self.user1,
+        )
+        self.user1_entry = DCAEntry.objects.create(
+            strategy=self.user1_strategy,
+            date=date(2025, 1, 1),
+            amount_paid=Decimal("100.00"),
+            amount_received=Decimal("0.001"),
+        )
+
+        # User 2's DCA strategy and entry
+        self.user2_strategy = DCAStrategy.all_objects.create(
+            name="User2 BTC Strategy",
+            target_currency=self.currency1,
+            payment_currency=self.currency2,
+            owner=self.user2,
+        )
+        self.user2_entry = DCAEntry.objects.create(
+            strategy=self.user2_strategy,
+            date=date(2025, 1, 1),
+            amount_paid=Decimal("200.00"),
+            amount_received=Decimal("0.002"),
+        )
+
+    def test_user_cannot_see_other_users_dca_strategies(self):
+        """GET /api/dca/strategies/ should only return user's own strategies."""
+        response = self.client1.get("/api/dca/strategies/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        strategy_ids = [s["id"] for s in response.data["results"]]
+        self.assertIn(self.user1_strategy.id, strategy_ids)
+        self.assertNotIn(self.user2_strategy.id, strategy_ids)
+
+    def test_user_cannot_access_other_users_dca_strategy_detail(self):
+        """GET /api/dca/strategies/{id}/ should deny access to other user's strategy."""
+        response = self.client1.get(f"/api/dca/strategies/{self.user2_strategy.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_access_other_users_dca_entries(self):
+        """GET /api/dca/entries/ filtered by other user's strategy should return empty."""
+        response = self.client1.get(
+            f"/api/dca/entries/?strategy={self.user2_strategy.id}"
+        )
+
+        # Either OK with empty results or error
+        if response.status_code == status.HTTP_200_OK:
+            entry_ids = [e["id"] for e in response.data["results"]]
+            self.assertNotIn(self.user2_entry.id, entry_ids)
+
+    def test_user_cannot_access_other_users_dca_entry_detail(self):
+        """GET /api/dca/entries/{id}/ should deny access to other user's entry."""
+        response = self.client1.get(f"/api/dca/entries/{self.user2_entry.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_access_other_users_strategy_investment_frequency(self):
+        """investment_frequency action on other user's strategy should deny access."""
+        response = self.client1.get(
+            f"/api/dca/strategies/{self.user2_strategy.id}/investment_frequency/"
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_access_other_users_strategy_price_comparison(self):
+        """price_comparison action on other user's strategy should deny access."""
+        response = self.client1.get(
+            f"/api/dca/strategies/{self.user2_strategy.id}/price_comparison/"
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_access_other_users_strategy_current_price(self):
+        """current_price action on other user's strategy should deny access."""
+        response = self.client1.get(
+            f"/api/dca/strategies/{self.user2_strategy.id}/current_price/"
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_modify_other_users_dca_strategy(self):
+        """PATCH on other user's DCA strategy should deny access."""
+        response = self.client1.patch(
+            f"/api/dca/strategies/{self.user2_strategy.id}/",
+            {"name": "Hacked Strategy"},
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_delete_other_users_dca_entry(self):
+        """DELETE on other user's DCA entry should deny access."""
+        response = self.client1.delete(f"/api/dca/entries/{self.user2_entry.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        self.assertTrue(DCAEntry.objects.filter(id=self.user2_entry.id).exists())
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class InstallmentRecurringIsolationTests(TestCase):
+    """Tests for isolation of installment plans and recurring transactions."""
+
+    def setUp(self):
+        """Set up test data."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+
+        self.currency = Currency.objects.create(
+            code="USD", name="US Dollar", decimal_places=2, prefix="$ "
+        )
+
+        # User 1's account
+        self.user1_account = Account.all_objects.create(
+            name="User1 Account", currency=self.currency, owner=self.user1
+        )
+
+        # User 2's account
+        self.user2_account = Account.all_objects.create(
+            name="User2 Account", currency=self.currency, owner=self.user2
+        )
+
+        # User 1's installment plan
+        self.user1_installment = InstallmentPlan.all_objects.create(
+            account=self.user1_account,
+            type=Transaction.Type.EXPENSE,
+            description="User1 Installment",
+            number_of_installments=12,
+            start_date=date(2025, 1, 1),
+            installment_amount=Decimal("100.00"),
+        )
+
+        # User 2's installment plan
+        self.user2_installment = InstallmentPlan.all_objects.create(
+            account=self.user2_account,
+            type=Transaction.Type.EXPENSE,
+            description="User2 Installment",
+            number_of_installments=6,
+            start_date=date(2025, 1, 1),
+            installment_amount=Decimal("200.00"),
+        )
+
+        # User 1's recurring transaction
+        self.user1_recurring = RecurringTransaction.all_objects.create(
+            account=self.user1_account,
+            type=Transaction.Type.EXPENSE,
+            amount=Decimal("50.00"),
+            description="User1 Recurring",
+            start_date=date(2025, 1, 1),
+            recurrence_type=RecurringTransaction.RecurrenceType.MONTH,
+            recurrence_interval=1,
+        )
+
+        # User 2's recurring transaction
+        self.user2_recurring = RecurringTransaction.all_objects.create(
+            account=self.user2_account,
+            type=Transaction.Type.INCOME,
+            amount=Decimal("1000.00"),
+            description="User2 Recurring",
+            start_date=date(2025, 1, 1),
+            recurrence_type=RecurringTransaction.RecurrenceType.MONTH,
+            recurrence_interval=1,
+        )
+
+    def test_user_cannot_see_other_users_installment_plans(self):
+        """GET /api/installment-plans/ should only return user's own plans."""
+        response = self.client1.get("/api/installment-plans/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        plan_ids = [p["id"] for p in response.data["results"]]
+        self.assertIn(self.user1_installment.id, plan_ids)
+        self.assertNotIn(self.user2_installment.id, plan_ids)
+
+    def test_user_cannot_access_other_users_installment_plan_detail(self):
+        """GET /api/installment-plans/{id}/ should deny access to other user's plan."""
+        response = self.client1.get(
+            f"/api/installment-plans/{self.user2_installment.id}/"
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_see_other_users_recurring_transactions(self):
+        """GET /api/recurring-transactions/ should only return user's own recurring."""
+        response = self.client1.get("/api/recurring-transactions/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        recurring_ids = [r["id"] for r in response.data["results"]]
+        self.assertIn(self.user1_recurring.id, recurring_ids)
+        self.assertNotIn(self.user2_recurring.id, recurring_ids)
+
+    def test_user_cannot_access_other_users_recurring_transaction_detail(self):
+        """GET /api/recurring-transactions/{id}/ should deny access to other user's recurring."""
+        response = self.client1.get(
+            f"/api/recurring-transactions/{self.user2_recurring.id}/"
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_modify_other_users_installment_plan(self):
+        """PATCH on other user's installment plan should deny access."""
+        response = self.client1.patch(
+            f"/api/installment-plans/{self.user2_installment.id}/",
+            {"description": "Hacked Installment"},
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_cannot_delete_other_users_recurring_transaction(self):
+        """DELETE on other user's recurring transaction should deny access."""
+        response = self.client1.delete(
+            f"/api/recurring-transactions/{self.user2_recurring.id}/"
+        )
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+        self.assertTrue(
+            RecurringTransaction.all_objects.filter(id=self.user2_recurring.id).exists()
+        )
--- a/app/apps/api/tests/test_imports.py
+++ b/app/apps/api/tests/test_imports.py
@@ -0,0 +1,404 @@
+from io import BytesIO
+from unittest.mock import patch
+
+from django.contrib.auth import get_user_model
+from django.core.files.uploadedfile import SimpleUploadedFile
+from django.test import TestCase, override_settings
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from apps.import_app.models import ImportProfile, ImportRun
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class ImportAPITests(TestCase):
+    """Tests for the Import API endpoint"""
+
+    def setUp(self):
+        """Set up test data"""
+        User = get_user_model()
+        self.user = User.objects.create_user(
+            email="testuser@test.com", password="testpass123"
+        )
+        self.client = APIClient()
+        self.client.force_authenticate(user=self.user)
+
+        # Create a basic import profile with minimal valid YAML config
+        self.profile = ImportProfile.objects.create(
+            name="Test Profile",
+            version=ImportProfile.Versions.VERSION_1,
+            yaml_config="""
+file_type: csv
+date_format: "%Y-%m-%d"
+column_mapping:
+  date:
+    source: date
+  description:
+    source: description
+  amount:
+    source: amount
+  transaction_type:
+    detection_method: always_expense
+  is_paid:
+    detection_method: always_paid
+  account:
+    source: account
+    match_field: name
+""",
+        )
+
+    @patch("apps.import_app.tasks.process_import.defer")
+    @patch("django.core.files.storage.FileSystemStorage.save")
+    @patch("django.core.files.storage.FileSystemStorage.path")
+    def test_create_import_success(self, mock_path, mock_save, mock_defer):
+        """Test successful file upload creates ImportRun and queues task"""
+        mock_save.return_value = "test_file.csv"
+        mock_path.return_value = "/usr/src/app/temp/test_file.csv"
+
+        csv_content = b"date,description,amount,account\n2025-01-01,Test,100,Main"
+        file = SimpleUploadedFile(
+            "test_file.csv", csv_content, content_type="text/csv"
+        )
+
+        response = self.client.post(
+            "/api/import/import/",
+            {"profile_id": self.profile.id, "file": file},
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
+        self.assertIn("import_run_id", response.data)
+        self.assertEqual(response.data["status"], "queued")
+
+        # Verify ImportRun was created
+        import_run = ImportRun.objects.get(id=response.data["import_run_id"])
+        self.assertEqual(import_run.profile, self.profile)
+        self.assertEqual(import_run.file_name, "test_file.csv")
+
+        # Verify task was deferred
+        mock_defer.assert_called_once_with(
+            import_run_id=import_run.id,
+            file_path="/usr/src/app/temp/test_file.csv",
+            user_id=self.user.id,
+        )
+
+    def test_create_import_missing_profile(self):
+        """Test request without profile_id returns 400"""
+        csv_content = b"date,description,amount\n2025-01-01,Test,100"
+        file = SimpleUploadedFile(
+            "test_file.csv", csv_content, content_type="text/csv"
+        )
+
+        response = self.client.post(
+            "/api/import/import/",
+            {"file": file},
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("profile_id", response.data)
+
+    def test_create_import_missing_file(self):
+        """Test request without file returns 400"""
+        response = self.client.post(
+            "/api/import/import/",
+            {"profile_id": self.profile.id},
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("file", response.data)
+
+    def test_create_import_invalid_profile(self):
+        """Test request with non-existent profile returns 400"""
+        csv_content = b"date,description,amount\n2025-01-01,Test,100"
+        file = SimpleUploadedFile(
+            "test_file.csv", csv_content, content_type="text/csv"
+        )
+
+        response = self.client.post(
+            "/api/import/import/",
+            {"profile_id": 99999, "file": file},
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
+        self.assertIn("profile_id", response.data)
+
+    @patch("apps.import_app.tasks.process_import.defer")
+    @patch("django.core.files.storage.FileSystemStorage.save")
+    @patch("django.core.files.storage.FileSystemStorage.path")
+    def test_create_import_xlsx(self, mock_path, mock_save, mock_defer):
+        """Test successful XLSX file upload"""
+        mock_save.return_value = "test_file.xlsx"
+        mock_path.return_value = "/usr/src/app/temp/test_file.xlsx"
+
+        # Create a simple XLSX-like content (just for the upload test)
+        xlsx_content = BytesIO(b"PK\x03\x04")  # XLSX files start with PK header
+        file = SimpleUploadedFile(
+            "test_file.xlsx",
+            xlsx_content.getvalue(),
+            content_type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+        )
+
+        response = self.client.post(
+            "/api/import/import/",
+            {"profile_id": self.profile.id, "file": file},
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_202_ACCEPTED)
+        self.assertIn("import_run_id", response.data)
+
+    def test_unauthenticated_request(self):
+        """Test unauthenticated request returns 403"""
+        unauthenticated_client = APIClient()
+
+        csv_content = b"date,description,amount\n2025-01-01,Test,100"
+        file = SimpleUploadedFile(
+            "test_file.csv", csv_content, content_type="text/csv"
+        )
+
+        response = unauthenticated_client.post(
+            "/api/import/import/",
+            {"profile_id": self.profile.id, "file": file},
+            format="multipart",
+        )
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class ImportProfileAPITests(TestCase):
+    """Tests for the Import Profile API endpoints"""
+
+    def setUp(self):
+        """Set up test data"""
+        User = get_user_model()
+        self.user = User.objects.create_user(
+            email="testuser@test.com", password="testpass123"
+        )
+        self.client = APIClient()
+        self.client.force_authenticate(user=self.user)
+
+        self.profile1 = ImportProfile.objects.create(
+            name="Profile 1",
+            version=ImportProfile.Versions.VERSION_1,
+            yaml_config="""
+file_type: csv
+date_format: "%Y-%m-%d"
+column_mapping:
+  date:
+    source: date
+  description:
+    source: description
+  amount:
+    source: amount
+  transaction_type:
+    detection_method: always_expense
+  is_paid:
+    detection_method: always_paid
+  account:
+    source: account
+    match_field: name
+""",
+        )
+        self.profile2 = ImportProfile.objects.create(
+            name="Profile 2",
+            version=ImportProfile.Versions.VERSION_1,
+            yaml_config="""
+file_type: csv
+date_format: "%Y-%m-%d"
+column_mapping:
+  date:
+    source: date
+  description:
+    source: description
+  amount:
+    source: amount
+  transaction_type:
+    detection_method: always_income
+  is_paid:
+    detection_method: always_unpaid
+  account:
+    source: account
+    match_field: name
+""",
+        )
+
+    def test_list_profiles(self):
+        """Test listing all profiles"""
+        response = self.client.get("/api/import/profiles/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], 2)
+        self.assertEqual(len(response.data["results"]), 2)
+
+    def test_retrieve_profile(self):
+        """Test retrieving a specific profile"""
+        response = self.client.get(f"/api/import/profiles/{self.profile1.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["id"], self.profile1.id)
+        self.assertEqual(response.data["name"], "Profile 1")
+        self.assertIn("yaml_config", response.data)
+
+    def test_retrieve_nonexistent_profile(self):
+        """Test retrieving a non-existent profile returns 404"""
+        response = self.client.get("/api/import/profiles/99999/")
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+    def test_profiles_unauthenticated(self):
+        """Test unauthenticated request returns 403"""
+        unauthenticated_client = APIClient()
+        response = unauthenticated_client.get("/api/import/profiles/")
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class ImportRunAPITests(TestCase):
+    """Tests for the Import Run API endpoints"""
+
+    def setUp(self):
+        """Set up test data"""
+        User = get_user_model()
+        self.user = User.objects.create_user(
+            email="testuser@test.com", password="testpass123"
+        )
+        self.client = APIClient()
+        self.client.force_authenticate(user=self.user)
+
+        self.profile1 = ImportProfile.objects.create(
+            name="Profile 1",
+            version=ImportProfile.Versions.VERSION_1,
+            yaml_config="""
+file_type: csv
+date_format: "%Y-%m-%d"
+column_mapping:
+  date:
+    source: date
+  description:
+    source: description
+  amount:
+    source: amount
+  transaction_type:
+    detection_method: always_expense
+  is_paid:
+    detection_method: always_paid
+  account:
+    source: account
+    match_field: name
+""",
+        )
+        self.profile2 = ImportProfile.objects.create(
+            name="Profile 2",
+            version=ImportProfile.Versions.VERSION_1,
+            yaml_config="""
+file_type: csv
+date_format: "%Y-%m-%d"
+column_mapping:
+  date:
+    source: date
+  description:
+    source: description
+  amount:
+    source: amount
+  transaction_type:
+    detection_method: always_income
+  is_paid:
+    detection_method: always_unpaid
+  account:
+    source: account
+    match_field: name
+""",
+        )
+
+        # Create import runs
+        self.run1 = ImportRun.objects.create(
+            profile=self.profile1,
+            file_name="file1.csv",
+            status=ImportRun.Status.FINISHED,
+        )
+        self.run2 = ImportRun.objects.create(
+            profile=self.profile1,
+            file_name="file2.csv",
+            status=ImportRun.Status.QUEUED,
+        )
+        self.run3 = ImportRun.objects.create(
+            profile=self.profile2,
+            file_name="file3.csv",
+            status=ImportRun.Status.FINISHED,
+        )
+
+    def test_list_all_runs(self):
+        """Test listing all runs"""
+        response = self.client.get("/api/import/runs/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], 3)
+        self.assertEqual(len(response.data["results"]), 3)
+
+    def test_list_runs_by_profile(self):
+        """Test filtering runs by profile_id"""
+        response = self.client.get(f"/api/import/runs/?profile_id={self.profile1.id}")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], 2)
+        for run in response.data["results"]:
+            self.assertEqual(run["profile"], self.profile1.id)
+
+    def test_list_runs_by_other_profile(self):
+        """Test filtering runs by another profile_id"""
+        response = self.client.get(f"/api/import/runs/?profile_id={self.profile2.id}")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["count"], 1)
+        self.assertEqual(response.data["results"][0]["profile"], self.profile2.id)
+
+    def test_retrieve_run(self):
+        """Test retrieving a specific run"""
+        response = self.client.get(f"/api/import/runs/{self.run1.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["id"], self.run1.id)
+        self.assertEqual(response.data["file_name"], "file1.csv")
+        self.assertEqual(response.data["status"], "FINISHED")
+
+    def test_retrieve_nonexistent_run(self):
+        """Test retrieving a non-existent run returns 404"""
+        response = self.client.get("/api/import/runs/99999/")
+
+        self.assertEqual(response.status_code, status.HTTP_404_NOT_FOUND)
+
+    def test_runs_unauthenticated(self):
+        """Test unauthenticated request returns 403"""
+        unauthenticated_client = APIClient()
+        response = unauthenticated_client.get("/api/import/runs/")
+
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
--- a/app/apps/api/tests/test_shared_access.py
+++ b/app/apps/api/tests/test_shared_access.py
@@ -0,0 +1,587 @@
+from datetime import date
+from decimal import Decimal
+
+from django.contrib.auth import get_user_model
+from django.test import TestCase, override_settings
+from rest_framework import status
+from rest_framework.test import APIClient
+
+from apps.accounts.models import Account, AccountGroup
+from apps.currencies.models import Currency
+from apps.dca.models import DCAStrategy, DCAEntry
+from apps.transactions.models import (
+    Transaction,
+    TransactionCategory,
+    TransactionTag,
+    TransactionEntity,
+)
+
+
+ACCESS_DENIED_CODES = [status.HTTP_403_FORBIDDEN, status.HTTP_404_NOT_FOUND]
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class SharedAccountAccessTests(TestCase):
+    """Tests for shared account access via shared_with field."""
+
+    def setUp(self):
+        """Set up test data with shared accounts."""
+        User = get_user_model()
+
+        # User 1 - owner
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        # User 2 - will have shared access
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+        self.client2 = APIClient()
+        self.client2.force_authenticate(user=self.user2)
+
+        # User 3 - no shared access
+        self.user3 = User.objects.create_user(
+            email="user3@test.com", password="testpass123"
+        )
+        self.client3 = APIClient()
+        self.client3.force_authenticate(user=self.user3)
+
+        self.currency = Currency.objects.create(
+            code="USD", name="US Dollar", decimal_places=2, prefix="$ "
+        )
+
+        # User 1's account shared with user 2
+        self.shared_account = Account.all_objects.create(
+            name="Shared Account",
+            currency=self.currency,
+            owner=self.user1,
+            visibility="private",
+        )
+        self.shared_account.shared_with.add(self.user2)
+
+        # User 1's private account (not shared)
+        self.private_account = Account.all_objects.create(
+            name="Private Account",
+            currency=self.currency,
+            owner=self.user1,
+            visibility="private",
+        )
+
+        # Transaction in shared account
+        self.shared_transaction = Transaction.userless_all_objects.create(
+            account=self.shared_account,
+            type=Transaction.Type.INCOME,
+            amount=Decimal("100.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Shared Transaction",
+            owner=self.user1,
+        )
+
+        # Transaction in private account
+        self.private_transaction = Transaction.userless_all_objects.create(
+            account=self.private_account,
+            type=Transaction.Type.EXPENSE,
+            amount=Decimal("50.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Private Transaction",
+            owner=self.user1,
+        )
+
+    def test_user_can_see_accounts_shared_with_them(self):
+        """User2 should see the account shared with them."""
+        response = self.client2.get("/api/accounts/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        account_ids = [acc["id"] for acc in response.data["results"]]
+        self.assertIn(self.shared_account.id, account_ids)
+
+    def test_user_cannot_see_accounts_not_shared_with_them(self):
+        """User2 should NOT see user1's private (non-shared) account."""
+        response = self.client2.get("/api/accounts/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        account_ids = [acc["id"] for acc in response.data["results"]]
+        self.assertNotIn(self.private_account.id, account_ids)
+
+    def test_user_can_access_shared_account_detail(self):
+        """User2 should be able to access shared account details."""
+        response = self.client2.get(f"/api/accounts/{self.shared_account.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["name"], "Shared Account")
+
+    def test_user_without_share_cannot_access_shared_account(self):
+        """User3 should NOT be able to access the shared account."""
+        response = self.client3.get(f"/api/accounts/{self.shared_account.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_can_see_transactions_in_shared_account(self):
+        """User2 should see transactions in the shared account."""
+        response = self.client2.get("/api/transactions/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        transaction_ids = [t["id"] for t in response.data["results"]]
+        self.assertIn(self.shared_transaction.id, transaction_ids)
+        self.assertNotIn(self.private_transaction.id, transaction_ids)
+
+    def test_user_can_access_transaction_in_shared_account(self):
+        """User2 should be able to access transaction details in shared account."""
+        response = self.client2.get(f"/api/transactions/{self.shared_transaction.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["description"], "Shared Transaction")
+
+    def test_user_cannot_access_transaction_in_non_shared_account(self):
+        """User2 should NOT access transactions in user1's private account."""
+        response = self.client2.get(f"/api/transactions/{self.private_transaction.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
+
+    def test_user_can_get_balance_of_shared_account(self):
+        """User2 should be able to get balance of shared account."""
+        response = self.client2.get(f"/api/accounts/{self.shared_account.id}/balance/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertIn("current_balance", response.data)
+
+    def test_sharing_works_with_multiple_users(self):
+        """Account shared with multiple users should be accessible by all."""
+        # Add user3 to shared_with
+        self.shared_account.shared_with.add(self.user3)
+
+        # User2 still has access
+        response2 = self.client2.get(f"/api/accounts/{self.shared_account.id}/")
+        self.assertEqual(response2.status_code, status.HTTP_200_OK)
+
+        # User3 now has access
+        response3 = self.client3.get(f"/api/accounts/{self.shared_account.id}/")
+        self.assertEqual(response3.status_code, status.HTTP_200_OK)
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class PublicVisibilityTests(TestCase):
+    """Tests for public visibility access."""
+
+    def setUp(self):
+        """Set up test data with public accounts."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+        self.client2 = APIClient()
+        self.client2.force_authenticate(user=self.user2)
+
+        self.currency = Currency.objects.create(
+            code="USD", name="US Dollar", decimal_places=2, prefix="$ "
+        )
+
+        # User 1's public account
+        self.public_account = Account.all_objects.create(
+            name="Public Account",
+            currency=self.currency,
+            owner=self.user1,
+            visibility="public",
+        )
+
+        # User 1's private account
+        self.private_account = Account.all_objects.create(
+            name="Private Account",
+            currency=self.currency,
+            owner=self.user1,
+            visibility="private",
+        )
+
+        # Transaction in public account
+        self.public_transaction = Transaction.userless_all_objects.create(
+            account=self.public_account,
+            type=Transaction.Type.INCOME,
+            amount=Decimal("100.00"),
+            is_paid=True,
+            date=date(2025, 1, 1),
+            description="Public Transaction",
+            owner=self.user1,
+        )
+
+    def test_user_can_see_public_accounts(self):
+        """User2 should see user1's public account."""
+        response = self.client2.get("/api/accounts/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        account_ids = [acc["id"] for acc in response.data["results"]]
+        self.assertIn(self.public_account.id, account_ids)
+        self.assertNotIn(self.private_account.id, account_ids)
+
+    def test_user_can_access_public_account_detail(self):
+        """User2 should be able to access public account details."""
+        response = self.client2.get(f"/api/accounts/{self.public_account.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["name"], "Public Account")
+
+    def test_user_can_see_transactions_in_public_accounts(self):
+        """User2 should see transactions in public accounts."""
+        response = self.client2.get("/api/transactions/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        transaction_ids = [t["id"] for t in response.data["results"]]
+        self.assertIn(self.public_transaction.id, transaction_ids)
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class SharedCategoryTagEntityTests(TestCase):
+    """Tests for shared categories, tags, and entities."""
+
+    def setUp(self):
+        """Set up test data with shared categories/tags/entities."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+        self.client2 = APIClient()
+        self.client2.force_authenticate(user=self.user2)
+
+        self.user3 = User.objects.create_user(
+            email="user3@test.com", password="testpass123"
+        )
+        self.client3 = APIClient()
+        self.client3.force_authenticate(user=self.user3)
+
+        # User 1's category shared with user 2
+        self.shared_category = TransactionCategory.all_objects.create(
+            name="Shared Category", owner=self.user1
+        )
+        self.shared_category.shared_with.add(self.user2)
+
+        # User 1's private category
+        self.private_category = TransactionCategory.all_objects.create(
+            name="Private Category", owner=self.user1
+        )
+
+        # User 1's public category
+        self.public_category = TransactionCategory.all_objects.create(
+            name="Public Category", owner=self.user1, visibility="public"
+        )
+
+        # User 1's tag shared with user 2
+        self.shared_tag = TransactionTag.all_objects.create(
+            name="Shared Tag", owner=self.user1
+        )
+        self.shared_tag.shared_with.add(self.user2)
+
+        # User 1's entity shared with user 2
+        self.shared_entity = TransactionEntity.all_objects.create(
+            name="Shared Entity", owner=self.user1
+        )
+        self.shared_entity.shared_with.add(self.user2)
+
+    def test_user_can_see_shared_categories(self):
+        """User2 should see categories shared with them."""
+        response = self.client2.get("/api/categories/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        category_ids = [c["id"] for c in response.data["results"]]
+        self.assertIn(self.shared_category.id, category_ids)
+        self.assertNotIn(self.private_category.id, category_ids)
+
+    def test_user_can_access_shared_category_detail(self):
+        """User2 should be able to access shared category details."""
+        response = self.client2.get(f"/api/categories/{self.shared_category.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["name"], "Shared Category")
+
+    def test_user_can_see_public_categories(self):
+        """User3 should see public categories."""
+        response = self.client3.get("/api/categories/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        category_ids = [c["id"] for c in response.data["results"]]
+        self.assertIn(self.public_category.id, category_ids)
+
+    def test_user_without_share_cannot_see_shared_category(self):
+        """User3 should NOT see category shared only with user2."""
+        response = self.client3.get("/api/categories/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        category_ids = [c["id"] for c in response.data["results"]]
+        self.assertNotIn(self.shared_category.id, category_ids)
+
+    def test_user_can_see_shared_tags(self):
+        """User2 should see tags shared with them."""
+        response = self.client2.get("/api/tags/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        tag_ids = [t["id"] for t in response.data["results"]]
+        self.assertIn(self.shared_tag.id, tag_ids)
+
+    def test_user_can_access_shared_tag_detail(self):
+        """User2 should be able to access shared tag details."""
+        response = self.client2.get(f"/api/tags/{self.shared_tag.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["name"], "Shared Tag")
+
+    def test_user_can_see_shared_entities(self):
+        """User2 should see entities shared with them."""
+        response = self.client2.get("/api/entities/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        entity_ids = [e["id"] for e in response.data["results"]]
+        self.assertIn(self.shared_entity.id, entity_ids)
+
+    def test_user_can_access_shared_entity_detail(self):
+        """User2 should be able to access shared entity details."""
+        response = self.client2.get(f"/api/entities/{self.shared_entity.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["name"], "Shared Entity")
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class SharedDCAAccessTests(TestCase):
+    """Tests for shared DCA strategy access."""
+
+    def setUp(self):
+        """Set up test data with shared DCA strategies."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+        self.client2 = APIClient()
+        self.client2.force_authenticate(user=self.user2)
+
+        self.user3 = User.objects.create_user(
+            email="user3@test.com", password="testpass123"
+        )
+        self.client3 = APIClient()
+        self.client3.force_authenticate(user=self.user3)
+
+        self.currency1 = Currency.objects.create(
+            code="BTC", name="Bitcoin", decimal_places=8, prefix=""
+        )
+        self.currency2 = Currency.objects.create(
+            code="USD", name="US Dollar", decimal_places=2, prefix="$ "
+        )
+
+        # User 1's DCA strategy shared with user 2
+        self.shared_strategy = DCAStrategy.all_objects.create(
+            name="Shared BTC Strategy",
+            target_currency=self.currency1,
+            payment_currency=self.currency2,
+            owner=self.user1,
+        )
+        self.shared_strategy.shared_with.add(self.user2)
+
+        # Entry in shared strategy
+        self.shared_entry = DCAEntry.objects.create(
+            strategy=self.shared_strategy,
+            date=date(2025, 1, 1),
+            amount_paid=Decimal("100.00"),
+            amount_received=Decimal("0.001"),
+        )
+
+        # User 1's private strategy
+        self.private_strategy = DCAStrategy.all_objects.create(
+            name="Private BTC Strategy",
+            target_currency=self.currency1,
+            payment_currency=self.currency2,
+            owner=self.user1,
+        )
+
+    def test_user_can_see_shared_dca_strategies(self):
+        """User2 should see DCA strategies shared with them."""
+        response = self.client2.get("/api/dca/strategies/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        strategy_ids = [s["id"] for s in response.data["results"]]
+        self.assertIn(self.shared_strategy.id, strategy_ids)
+        self.assertNotIn(self.private_strategy.id, strategy_ids)
+
+    def test_user_can_access_shared_dca_strategy_detail(self):
+        """User2 should be able to access shared strategy details."""
+        response = self.client2.get(f"/api/dca/strategies/{self.shared_strategy.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["name"], "Shared BTC Strategy")
+
+    def test_user_without_share_cannot_see_shared_strategy(self):
+        """User3 should NOT see strategy shared only with user2."""
+        response = self.client3.get("/api/dca/strategies/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        strategy_ids = [s["id"] for s in response.data["results"]]
+        self.assertNotIn(self.shared_strategy.id, strategy_ids)
+
+    def test_user_can_access_shared_strategy_actions(self):
+        """User2 should be able to access actions on shared strategy."""
+        # investment_frequency
+        response1 = self.client2.get(
+            f"/api/dca/strategies/{self.shared_strategy.id}/investment_frequency/"
+        )
+        self.assertEqual(response1.status_code, status.HTTP_200_OK)
+
+        # price_comparison
+        response2 = self.client2.get(
+            f"/api/dca/strategies/{self.shared_strategy.id}/price_comparison/"
+        )
+        self.assertEqual(response2.status_code, status.HTTP_200_OK)
+
+        # current_price
+        response3 = self.client2.get(
+            f"/api/dca/strategies/{self.shared_strategy.id}/current_price/"
+        )
+        self.assertEqual(response3.status_code, status.HTTP_200_OK)
+
+
+@override_settings(
+    STORAGES={
+        "default": {"BACKEND": "django.core.files.storage.FileSystemStorage"},
+        "staticfiles": {
+            "BACKEND": "django.contrib.staticfiles.storage.StaticFilesStorage"
+        },
+    },
+    WHITENOISE_AUTOREFRESH=True,
+)
+class SharedAccountGroupTests(TestCase):
+    """Tests for shared account group access."""
+
+    def setUp(self):
+        """Set up test data with shared account groups."""
+        User = get_user_model()
+
+        self.user1 = User.objects.create_user(
+            email="user1@test.com", password="testpass123"
+        )
+        self.client1 = APIClient()
+        self.client1.force_authenticate(user=self.user1)
+
+        self.user2 = User.objects.create_user(
+            email="user2@test.com", password="testpass123"
+        )
+        self.client2 = APIClient()
+        self.client2.force_authenticate(user=self.user2)
+
+        self.user3 = User.objects.create_user(
+            email="user3@test.com", password="testpass123"
+        )
+        self.client3 = APIClient()
+        self.client3.force_authenticate(user=self.user3)
+
+        # User 1's account group shared with user 2
+        self.shared_group = AccountGroup.all_objects.create(
+            name="Shared Group", owner=self.user1
+        )
+        self.shared_group.shared_with.add(self.user2)
+
+        # User 1's private account group
+        self.private_group = AccountGroup.all_objects.create(
+            name="Private Group", owner=self.user1
+        )
+
+        # User 1's public account group
+        self.public_group = AccountGroup.all_objects.create(
+            name="Public Group", owner=self.user1, visibility="public"
+        )
+
+    def test_user_can_see_shared_account_groups(self):
+        """User2 should see account groups shared with them."""
+        response = self.client2.get("/api/account-groups/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        group_ids = [g["id"] for g in response.data["results"]]
+        self.assertIn(self.shared_group.id, group_ids)
+        self.assertNotIn(self.private_group.id, group_ids)
+
+    def test_user_can_access_shared_account_group_detail(self):
+        """User2 should be able to access shared account group details."""
+        response = self.client2.get(f"/api/account-groups/{self.shared_group.id}/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+        self.assertEqual(response.data["name"], "Shared Group")
+
+    def test_user_can_see_public_account_groups(self):
+        """User3 should see public account groups."""
+        response = self.client3.get("/api/account-groups/")
+
+        self.assertEqual(response.status_code, status.HTTP_200_OK)
+
+        group_ids = [g["id"] for g in response.data["results"]]
+        self.assertIn(self.public_group.id, group_ids)
+
+    def test_user_without_share_cannot_access_shared_group(self):
+        """User3 should NOT be able to access shared account group."""
+        response = self.client3.get(f"/api/account-groups/{self.shared_group.id}/")
+
+        self.assertIn(response.status_code, ACCESS_DENIED_CODES)
--- a/app/apps/api/urls.py
+++ b/app/apps/api/urls.py
@@ -16,7 +16,11 @@ router.register(r"currencies", views.CurrencyViewSet)
 router.register(r"exchange-rates", views.ExchangeRateViewSet)
 router.register(r"dca/strategies", views.DCAStrategyViewSet)
 router.register(r"dca/entries", views.DCAEntryViewSet)
+router.register(r"import/profiles", views.ImportProfileViewSet, basename="import-profiles")
+router.register(r"import/runs", views.ImportRunViewSet, basename="import-runs")
+router.register(r"import/import", views.ImportViewSet, basename="import-import")

 urlpatterns = [
    path("", include(router.urls)),
 ]
+
--- a/app/apps/api/views/init.py
+++ b/app/apps/api/views/init.py
@@ -2,3 +2,5 @@ from .transactions import *
 from .accounts import *
 from .currencies import *
 from .dca import *
+from .imports import *
+
--- a/app/apps/api/views/accounts.py
+++ b/app/apps/api/views/accounts.py
@@ -1,17 +1,79 @@
+from drf_spectacular.utils import extend_schema, extend_schema_view
 from rest_framework import viewsets
+from rest_framework.decorators import action
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.response import Response
+
 from apps.accounts.models import AccountGroup, Account
-from apps.api.serializers import AccountGroupSerializer, AccountSerializer
+from apps.accounts.services import get_account_balance
+from apps.api.serializers import (
+    AccountGroupSerializer,
+    AccountSerializer,
+    AccountBalanceSerializer,
+)


 class AccountGroupViewSet(viewsets.ModelViewSet):
+    """ViewSet for managing account groups."""
+
    queryset = AccountGroup.objects.all()
    serializer_class = AccountGroupSerializer
-
-
-class AccountViewSet(viewsets.ModelViewSet):
-    queryset = Account.objects.all()
-    serializer_class = AccountSerializer
+    filterset_fields = {
+        "name": ["exact", "icontains"],
+        "owner": ["exact"],
+    }
+    search_fields = ["name"]
+    ordering_fields = "__all__"
+    ordering = ["id"]

    def get_queryset(self):
-        queryset = super().get_queryset()
-        return queryset.select_related("group", "currency", "exchange_currency")
+        return AccountGroup.objects.all()
+
+
+@extend_schema_view(
+    balance=extend_schema(
+        summary="Get account balance",
+        description="Returns the current and projected balance for the account, along with currency data.",
+        responses={200: AccountBalanceSerializer},
+    ),
+)
+class AccountViewSet(viewsets.ModelViewSet):
+    """ViewSet for managing accounts."""
+
+    queryset = Account.objects.all()
+    serializer_class = AccountSerializer
+    filterset_fields = {
+        "name": ["exact", "icontains"],
+        "group": ["exact", "isnull"],
+        "currency": ["exact"],
+        "exchange_currency": ["exact", "isnull"],
+        "is_asset": ["exact"],
+        "is_archived": ["exact"],
+        "owner": ["exact"],
+    }
+    search_fields = ["name"]
+    ordering_fields = "__all__"
+    ordering = ["id"]
+
+    def get_queryset(self):
+        return Account.objects.all().select_related(
+            "group", "currency", "exchange_currency"
+        )
+
+    @action(detail=True, methods=["get"], permission_classes=[IsAuthenticated])
+    def balance(self, request, pk=None):
+        """Get current and projected balance for an account."""
+        account = self.get_object()
+
+        current_balance = get_account_balance(account, paid_only=True)
+        projected_balance = get_account_balance(account, paid_only=False)
+
+        serializer = AccountBalanceSerializer(
+            {
+                "current_balance": current_balance,
+                "projected_balance": projected_balance,
+                "currency": account.currency,
+            }
+        )
+
+        return Response(serializer.data)
--- a/app/apps/api/views/currencies.py
+++ b/app/apps/api/views/currencies.py
@@ -9,8 +9,28 @@ from apps.currencies.models import ExchangeRate
 class CurrencyViewSet(viewsets.ModelViewSet):
    queryset = Currency.objects.all()
    serializer_class = CurrencySerializer
+    filterset_fields = {
+        'name': ['exact', 'icontains'],
+        'code': ['exact', 'icontains'],
+        'decimal_places': ['exact', 'gte', 'lte', 'gt', 'lt'],
+        'prefix': ['exact', 'icontains'],
+        'suffix': ['exact', 'icontains'],
+        'exchange_currency': ['exact'],
+        'is_archived': ['exact'],
+    }
+    search_fields = '__all__'
+    ordering_fields = '__all__'


 class ExchangeRateViewSet(viewsets.ModelViewSet):
    queryset = ExchangeRate.objects.all()
    serializer_class = ExchangeRateSerializer
+    filterset_fields = {
+        'from_currency': ['exact'],
+        'to_currency': ['exact'],
+        'rate': ['exact', 'gte', 'lte', 'gt', 'lt'],
+        'date': ['exact', 'gte', 'lte', 'gt', 'lt'],
+        'automatic': ['exact'],
+    }
+    search_fields = '__all__'
+    ordering_fields = '__all__'
--- a/app/apps/api/views/dca.py
+++ b/app/apps/api/views/dca.py
@@ -8,6 +8,19 @@ from apps.api.serializers import DCAStrategySerializer, DCAEntrySerializer
 class DCAStrategyViewSet(viewsets.ModelViewSet):
    queryset = DCAStrategy.objects.all()
    serializer_class = DCAStrategySerializer
+    filterset_fields = {
+        "name": ["exact", "icontains"],
+        "target_currency": ["exact"],
+        "payment_currency": ["exact"],
+        "notes": ["exact", "icontains"],
+        "created_at": ["exact", "gte", "lte", "gt", "lt"],
+        "updated_at": ["exact", "gte", "lte", "gt", "lt"],
+    }
+    search_fields = ["name", "notes"]
+    ordering_fields = "__all__"
+
+    def get_queryset(self):
+        return DCAStrategy.objects.all()

    @action(detail=True, methods=["get"])
    def investment_frequency(self, request, pk=None):
@@ -32,10 +45,22 @@ class DCAStrategyViewSet(viewsets.ModelViewSet):
 class DCAEntryViewSet(viewsets.ModelViewSet):
    queryset = DCAEntry.objects.all()
    serializer_class = DCAEntrySerializer
+    filterset_fields = {
+        "strategy": ["exact"],
+        "date": ["exact", "gte", "lte", "gt", "lt"],
+        "amount_paid": ["exact", "gte", "lte", "gt", "lt"],
+        "amount_received": ["exact", "gte", "lte", "gt", "lt"],
+        "expense_transaction": ["exact", "isnull"],
+        "income_transaction": ["exact", "isnull"],
+        "notes": ["exact", "icontains"],
+        "created_at": ["exact", "gte", "lte", "gt", "lt"],
+        "updated_at": ["exact", "gte", "lte", "gt", "lt"],
+    }
+    search_fields = ["notes"]
+    ordering_fields = "__all__"
+    ordering = ["-date"]

    def get_queryset(self):
-        queryset = DCAEntry.objects.all()
-        strategy_id = self.request.query_params.get("strategy", None)
-        if strategy_id is not None:
-            queryset = queryset.filter(strategy_id=strategy_id)
-        return queryset
+        # Filter entries by strategies the user has access to
+        accessible_strategies = DCAStrategy.objects.all()
+        return DCAEntry.objects.filter(strategy__in=accessible_strategies)
--- a/app/apps/api/views/imports.py
+++ b/app/apps/api/views/imports.py
@@ -0,0 +1,147 @@
+from django.core.files.storage import FileSystemStorage
+from drf_spectacular.types import OpenApiTypes
+from drf_spectacular.utils import OpenApiParameter, extend_schema, extend_schema_view, inline_serializer
+from rest_framework import serializers as drf_serializers
+from rest_framework import status, viewsets
+from rest_framework.parsers import MultiPartParser
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.response import Response
+
+from apps.api.serializers import ImportFileSerializer, ImportProfileSerializer, ImportRunSerializer
+from apps.import_app.models import ImportProfile, ImportRun
+from apps.import_app.tasks import process_import
+
+
+@extend_schema_view(
+    list=extend_schema(
+        summary="List import profiles",
+        description="Returns a paginated list of all available import profiles.",
+    ),
+    retrieve=extend_schema(
+        summary="Get import profile",
+        description="Returns the details of a specific import profile by ID.",
+    ),
+)
+class ImportProfileViewSet(viewsets.ReadOnlyModelViewSet):
+    """ViewSet for listing and retrieving import profiles."""
+
+    queryset = ImportProfile.objects.all()
+    serializer_class = ImportProfileSerializer
+    permission_classes = [IsAuthenticated]
+    filterset_fields = {
+        'name': ['exact', 'icontains'],
+        'yaml_config': ['exact', 'icontains'],
+        'version': ['exact'],
+    }
+    search_fields = ['name', 'yaml_config']
+    ordering_fields = '__all__'
+    ordering = ['name']
+
+
+@extend_schema_view(
+    list=extend_schema(
+        summary="List import runs",
+        description="Returns a paginated list of import runs. Optionally filter by profile_id.",
+        parameters=[
+            OpenApiParameter(
+                name="profile_id",
+                type=int,
+                location=OpenApiParameter.QUERY,
+                description="Filter runs by profile ID",
+                required=False,
+            ),
+        ],
+    ),
+    retrieve=extend_schema(
+        summary="Get import run",
+        description="Returns the details of a specific import run by ID, including status and logs.",
+    ),
+)
+class ImportRunViewSet(viewsets.ReadOnlyModelViewSet):
+    """ViewSet for listing and retrieving import runs."""
+
+    queryset = ImportRun.objects.all().order_by("-id")
+    serializer_class = ImportRunSerializer
+    permission_classes = [IsAuthenticated]
+    filterset_fields = {
+        'status': ['exact'],
+        'profile': ['exact'],
+        'file_name': ['exact', 'icontains'],
+        'logs': ['exact', 'icontains'],
+        'processed_rows': ['exact', 'gte', 'lte', 'gt', 'lt'],
+        'total_rows': ['exact', 'gte', 'lte', 'gt', 'lt'],
+        'successful_rows': ['exact', 'gte', 'lte', 'gt', 'lt'],
+        'skipped_rows': ['exact', 'gte', 'lte', 'gt', 'lt'],
+        'failed_rows': ['exact', 'gte', 'lte', 'gt', 'lt'],
+        'started_at': ['exact', 'gte', 'lte', 'gt', 'lt', 'isnull'],
+        'finished_at': ['exact', 'gte', 'lte', 'gt', 'lt', 'isnull'],
+    }
+    search_fields = ['file_name', 'logs']
+    ordering_fields = '__all__'
+    ordering = ['-id']
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        profile_id = self.request.query_params.get("profile_id")
+        if profile_id:
+            queryset = queryset.filter(profile_id=profile_id)
+        return queryset
+
+
+@extend_schema_view(
+    create=extend_schema(
+        summary="Import file",
+        description="Upload a CSV or XLSX file to import using an existing import profile. The import is queued and processed asynchronously.",
+        request={
+            "multipart/form-data": {
+                "type": "object",
+                "properties": {
+                    "profile_id": {"type": "integer", "description": "ID of the ImportProfile to use"},
+                    "file": {"type": "string", "format": "binary", "description": "CSV or XLSX file to import"},
+                },
+                "required": ["profile_id", "file"],
+            },
+        },
+        responses={
+            202: inline_serializer(
+                name="ImportResponse",
+                fields={
+                    "import_run_id": drf_serializers.IntegerField(),
+                    "status": drf_serializers.CharField(),
+                },
+            ),
+        },
+    ),
+)
+class ImportViewSet(viewsets.ViewSet):
+    """ViewSet for importing data via file upload."""
+
+    permission_classes = [IsAuthenticated]
+    parser_classes = [MultiPartParser]
+
+    def create(self, request):
+        serializer = ImportFileSerializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+
+        profile = serializer.validated_data["profile"]
+        uploaded_file = serializer.validated_data["file"]
+
+        # Save file to temp location
+        fs = FileSystemStorage(location="/usr/src/app/temp")
+        filename = fs.save(uploaded_file.name, uploaded_file)
+        file_path = fs.path(filename)
+
+        # Create ImportRun record
+        import_run = ImportRun.objects.create(profile=profile, file_name=filename)
+
+        # Queue import task
+        process_import.defer(
+            import_run_id=import_run.id,
+            file_path=file_path,
+            user_id=request.user.id,
+        )
+
+        return Response(
+            {"import_run_id": import_run.id, "status": "queued"},
+            status=status.HTTP_202_ACCEPTED,
+        )
--- a/app/apps/api/views/transactions.py
+++ b/app/apps/api/views/transactions.py
@@ -1,3 +1,5 @@
+from copy import deepcopy
+
 from rest_framework import viewsets

 from apps.api.serializers import (
@@ -22,14 +24,43 @@ from apps.rules.signals import transaction_updated, transaction_created
 class TransactionViewSet(viewsets.ModelViewSet):
    queryset = Transaction.objects.all()
    serializer_class = TransactionSerializer
+    filterset_fields = {
+        "account": ["exact"],
+        "type": ["exact"],
+        "is_paid": ["exact"],
+        "date": ["exact", "gte", "lte", "gt", "lt"],
+        "reference_date": ["exact", "gte", "lte", "gt", "lt"],
+        "mute": ["exact"],
+        "amount": ["exact", "gte", "lte", "gt", "lt"],
+        "description": ["exact", "icontains"],
+        "notes": ["exact", "icontains"],
+        "category": ["exact", "isnull"],
+        "installment_plan": ["exact", "isnull"],
+        "installment_id": ["exact", "gte", "lte"],
+        "recurring_transaction": ["exact", "isnull"],
+        "internal_note": ["exact", "icontains"],
+        "internal_id": ["exact"],
+        "deleted": ["exact"],
+        "created_at": ["exact", "gte", "lte", "gt", "lt"],
+        "updated_at": ["exact", "gte", "lte", "gt", "lt"],
+        "deleted_at": ["exact", "gte", "lte", "gt", "lt", "isnull"],
+        "owner": ["exact"],
+    }
+    search_fields = ["description", "notes", "internal_note"]
+    ordering_fields = "__all__"
+    ordering = ["-id"]
+
+    def get_queryset(self):
+        return Transaction.objects.all()

    def perform_create(self, serializer):
        instance = serializer.save()
        transaction_created.send(sender=instance)

    def perform_update(self, serializer):
+        old_data = deepcopy(self.get_object())
        instance = serializer.save()
-        transaction_updated.send(sender=instance)
+        transaction_updated.send(sender=instance, old_data=old_data)

    def partial_update(self, request, *args, **kwargs):
        kwargs["partial"] = True
@@ -39,23 +70,105 @@ class TransactionViewSet(viewsets.ModelViewSet):
 class TransactionCategoryViewSet(viewsets.ModelViewSet):
    queryset = TransactionCategory.objects.all()
    serializer_class = TransactionCategorySerializer
+    filterset_fields = {
+        "name": ["exact", "icontains"],
+        "mute": ["exact"],
+        "active": ["exact"],
+        "owner": ["exact"],
+    }
+    search_fields = ["name"]
+    ordering_fields = "__all__"
+    ordering = ["id"]
+
+    def get_queryset(self):
+        return TransactionCategory.objects.all()


 class TransactionTagViewSet(viewsets.ModelViewSet):
    queryset = TransactionTag.objects.all()
    serializer_class = TransactionTagSerializer
+    filterset_fields = {
+        "name": ["exact", "icontains"],
+        "active": ["exact"],
+        "owner": ["exact"],
+    }
+    search_fields = ["name"]
+    ordering_fields = "__all__"
+    ordering = ["id"]
+
+    def get_queryset(self):
+        return TransactionTag.objects.all()


 class TransactionEntityViewSet(viewsets.ModelViewSet):
    queryset = TransactionEntity.objects.all()
    serializer_class = TransactionEntitySerializer
+    filterset_fields = {
+        "name": ["exact", "icontains"],
+        "active": ["exact"],
+        "owner": ["exact"],
+    }
+    search_fields = ["name"]
+    ordering_fields = "__all__"
+    ordering = ["id"]
+
+    def get_queryset(self):
+        return TransactionEntity.objects.all()


 class InstallmentPlanViewSet(viewsets.ModelViewSet):
    queryset = InstallmentPlan.objects.all()
    serializer_class = InstallmentPlanSerializer
+    filterset_fields = {
+        "account": ["exact"],
+        "type": ["exact"],
+        "description": ["exact", "icontains"],
+        "number_of_installments": ["exact", "gte", "lte", "gt", "lt"],
+        "installment_start": ["exact", "gte", "lte", "gt", "lt"],
+        "installment_total_number": ["exact", "gte", "lte", "gt", "lt"],
+        "start_date": ["exact", "gte", "lte", "gt", "lt"],
+        "reference_date": ["exact", "gte", "lte", "gt", "lt", "isnull"],
+        "end_date": ["exact", "gte", "lte", "gt", "lt", "isnull"],
+        "recurrence": ["exact"],
+        "installment_amount": ["exact", "gte", "lte", "gt", "lt"],
+        "category": ["exact", "isnull"],
+        "notes": ["exact", "icontains"],
+        "add_description_to_transaction": ["exact"],
+        "add_notes_to_transaction": ["exact"],
+    }
+    search_fields = ["description", "notes"]
+    ordering_fields = "__all__"
+    ordering = ["-id"]
+
+    def get_queryset(self):
+        return InstallmentPlan.objects.all()


 class RecurringTransactionViewSet(viewsets.ModelViewSet):
    queryset = RecurringTransaction.objects.all()
    serializer_class = RecurringTransactionSerializer
+    filterset_fields = {
+        "is_paused": ["exact"],
+        "account": ["exact"],
+        "type": ["exact"],
+        "amount": ["exact", "gte", "lte", "gt", "lt"],
+        "description": ["exact", "icontains"],
+        "category": ["exact", "isnull"],
+        "notes": ["exact", "icontains"],
+        "reference_date": ["exact", "gte", "lte", "gt", "lt", "isnull"],
+        "start_date": ["exact", "gte", "lte", "gt", "lt"],
+        "end_date": ["exact", "gte", "lte", "gt", "lt", "isnull"],
+        "recurrence_type": ["exact"],
+        "recurrence_interval": ["exact", "gte", "lte", "gt", "lt"],
+        "keep_at_most": ["exact", "gte", "lte", "gt", "lt"],
+        "last_generated_date": ["exact", "gte", "lte", "gt", "lt", "isnull"],
+        "last_generated_reference_date": ["exact", "gte", "lte", "gt", "lt", "isnull"],
+        "add_description_to_transaction": ["exact"],
+        "add_notes_to_transaction": ["exact"],
+    }
+    search_fields = ["description", "notes"]
+    ordering_fields = "__all__"
+    ordering = ["-id"]
+
+    def get_queryset(self):
+        return RecurringTransaction.objects.all()
--- a/app/apps/common/admin.py
+++ b/app/apps/common/admin.py
@@ -0,0 +1,26 @@
+from django.contrib import admin
+from django.utils.translation import gettext_lazy as _
+
+
+@admin.action(description=_("Make public"))
+def make_public(modeladmin, request, queryset):
+    queryset.update(visibility="public")
+
+
+@admin.action(description=_("Make private"))
+def make_private(modeladmin, request, queryset):
+    queryset.update(visibility="private")
+
+
+class SharedObjectModelAdmin(admin.ModelAdmin):
+    actions = [make_public, make_private]
+
+    list_display = ("__str__", "visibility", "owner", "get_shared_with")
+
+    @admin.display(description=_("Shared with users"))
+    def get_shared_with(self, obj):
+        return ", ".join([p.email for p in obj.shared_with.all()])
+
+    def get_queryset(self, request):
+        # Use the all_objects manager to show all transactions, including deleted ones
+        return self.model.all_objects.all()
--- a/app/apps/common/apps.py
+++ b/app/apps/common/apps.py
@@ -1,6 +1,28 @@
 from django.apps import AppConfig
+from django.core.cache import cache


 class CommonConfig(AppConfig):
    default_auto_field = "django.db.models.BigAutoField"
    name = "apps.common"
+
+    def ready(self):
+        from django.contrib import admin
+        from django.contrib.sites.models import Site
+        from allauth.socialaccount.models import (
+            SocialAccount,
+            SocialApp,
+            SocialToken,
+        )
+
+        admin.site.unregister(Site)
+        admin.site.unregister(SocialAccount)
+        admin.site.unregister(SocialApp)
+        admin.site.unregister(SocialToken)
+
+        # Delete the cache for update checks to prevent false-positives when the app is restarted
+        # this will be recreated by the check_for_updates task
+        cache.delete("update_check")
+
+        # Register system checks for required environment variables
+        from apps.common import checks  # noqa: F401
--- a/app/apps/common/checks.py
+++ b/app/apps/common/checks.py
@@ -0,0 +1,103 @@
+"""
+Django System Checks for required environment variables.
+
+This module validates that required environment variables (those without defaults)
+are present before the application starts.
+"""
+
+import os
+
+from django.core.checks import Error, register
+
+
+# List of environment variables that are required (no default values)
+# Based on the README.md documentation
+REQUIRED_ENV_VARS = [
+    ("SECRET_KEY", "This is used to provide cryptographic signing."),
+    ("SQL_DATABASE", "The name of your postgres database."),
+]
+
+# List of environment variables that must be valid integers if set
+INT_ENV_VARS = [
+    ("TASK_WORKERS", "How many workers to have for async tasks."),
+    ("SESSION_EXPIRY_TIME", "The age of session cookies, in seconds."),
+    ("INTERNAL_PORT", "The port on which the app listens on."),
+    ("DJANGO_VITE_DEV_SERVER_PORT", "The port where Vite's dev server is running"),
+]
+
+
+@register()
+def check_required_env_vars(app_configs, **kwargs):
+    """
+    Check that all required environment variables are set.
+
+    Returns a list of Error objects for any missing required variables.
+    """
+    errors = []
+
+    for var_name, description in REQUIRED_ENV_VARS:
+        value = os.getenv(var_name)
+        if not value:
+            errors.append(
+                Error(
+                    f"Required environment variable '{var_name}' is not set.",
+                    hint=f"{description} Please set this variable in your .env file or environment.",
+                    id="wygiwyh.E001",
+                )
+            )
+
+    return errors
+
+
+@register()
+def check_int_env_vars(app_configs, **kwargs):
+    """
+    Check that environment variables that should be integers are valid.
+
+    Returns a list of Error objects for any invalid integer variables.
+    """
+    errors = []
+
+    for var_name, description in INT_ENV_VARS:
+        value = os.getenv(var_name)
+        if value is not None:
+            try:
+                int(value)
+            except ValueError:
+                errors.append(
+                    Error(
+                        f"Environment variable '{var_name}' must be a valid integer, got '{value}'.",
+                        hint=f"{description}",
+                        id="wygiwyh.E002",
+                    )
+                )
+
+    return errors
+
+
+@register()
+def check_soft_delete_config(app_configs, **kwargs):
+    """
+    Check that KEEP_DELETED_TRANSACTIONS_FOR is a valid integer when ENABLE_SOFT_DELETE is enabled.
+
+    Returns a list of Error objects if the configuration is invalid.
+    """
+    errors = []
+
+    enable_soft_delete = os.getenv("ENABLE_SOFT_DELETE", "false").lower() == "true"
+
+    if enable_soft_delete:
+        keep_deleted_for = os.getenv("KEEP_DELETED_TRANSACTIONS_FOR")
+        if keep_deleted_for is not None:
+            try:
+                int(keep_deleted_for)
+            except ValueError:
+                errors.append(
+                    Error(
+                        f"Environment variable 'KEEP_DELETED_TRANSACTIONS_FOR' must be a valid integer when ENABLE_SOFT_DELETE is enabled, got '{keep_deleted_for}'.",
+                        hint="Time in days to keep soft deleted transactions for. Set to 0 to keep all transactions indefinitely.",
+                        id="wygiwyh.E003",
+                    )
+                )
+
+    return errors
--- a/app/apps/common/decorators/demo.py
+++ b/app/apps/common/decorators/demo.py
@@ -0,0 +1,15 @@
+from functools import wraps
+
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
+
+
+def disabled_on_demo(view):
+    @wraps(view)
+    def _view(request, *args, **kwargs):
+        if settings.DEMO and not request.user.is_superuser:
+            raise PermissionDenied
+
+        return view(request, *args, **kwargs)
+
+    return _view
--- a/app/apps/common/decorators/user.py
+++ b/app/apps/common/decorators/user.py
@@ -0,0 +1,78 @@
+from functools import wraps
+
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
+from django.http import HttpResponse
+from django.shortcuts import redirect
+from django.urls import reverse, NoReverseMatch
+
+
+def is_superuser(view):
+    @wraps(view)
+    def _view(request, *args, **kwargs):
+        if not request.user.is_superuser:
+            raise PermissionDenied
+
+        return view(request, *args, **kwargs)
+
+    return _view
+
+
+def htmx_login_required(function=None, login_url=None):
+    """
+    Decorator that checks if the user is logged in.
+
+    Allows overriding the default login URL.
+
+    If the user is not logged in:
+    - If "hx-request" is present in the request header, it returns a 200 response
+      with a "HX-Redirect" header containing the determined login URL (including the "next" parameter).
+    - If "hx-request" is not present, it redirects to the determined login page normally.
+
+    Args:
+        function: The view function to decorate.
+        login_url: Optional. The URL or URL name to redirect to for login.
+                   Defaults to settings.LOGIN_URL.
+    """
+
+    def decorator(view_func):
+        # Simplified @wraps usage - it handles necessary attribute assignments by default
+        @wraps(view_func)
+        def wrapped_view(request, *args, **kwargs):
+            if request.user.is_authenticated:
+                return view_func(request, *args, **kwargs)
+            else:
+                # Determine the login URL
+                resolved_login_url = login_url
+                if not resolved_login_url:
+                    resolved_login_url = settings.LOGIN_URL
+
+                # Try to reverse the URL name if it's not a path
+                try:
+                    # Check if it looks like a URL path already
+                    if "/" not in resolved_login_url and "." not in resolved_login_url:
+                        login_url_path = reverse(resolved_login_url)
+                    else:
+                        login_url_path = resolved_login_url
+                except NoReverseMatch:
+                    # If reverse fails, assume it's already a URL path
+                    login_url_path = resolved_login_url
+
+                # Construct the full redirect path with 'next' parameter
+                # Ensure request.path is URL-encoded if needed, though Django usually handles this
+                redirect_path = f"{login_url_path}?next={request.get_full_path()}"  # Use get_full_path() to include query params
+
+                if request.headers.get("hx-request"):
+                    # For HTMX requests, return a 200 with the HX-Redirect header.
+                    response = HttpResponse()
+                    response["HX-Redirect"] = login_url_path
+                    return response
+                else:
+                    # For regular requests, redirect to the login page.
+                    return redirect(redirect_path)
+
+        return wrapped_view
+
+    if function:
+        return decorator(function)
+    return decorator
--- a/app/apps/common/fields/forms/dynamic_select.py
+++ b/app/apps/common/fields/forms/dynamic_select.py
@@ -4,6 +4,7 @@ from django.db import transaction
 from django.utils.translation import gettext_lazy as _

 from apps.common.widgets.tom_select import TomSelect, TomSelectMultiple
+from apps.common.middleware.thread_local import get_current_user


 class DynamicModelChoiceField(forms.ModelChoiceField):
@@ -12,15 +13,14 @@ class DynamicModelChoiceField(forms.ModelChoiceField):
        self.to_field_name = kwargs.pop("to_field_name", "pk")

        self.create_field = kwargs.pop("create_field", None)
-        if not self.create_field:
-            raise ValueError("The 'create_field' parameter is required.")

        self.queryset = kwargs.pop("queryset", model.objects.all())
-        super().__init__(queryset=self.queryset, *args, **kwargs)
-        self._created_instance = None

        self.widget = TomSelect(clear_button=True, create=True)

+        super().__init__(queryset=self.queryset, *args, **kwargs)
+        self._created_instance = None
+
    def to_python(self, value):
        if value in self.empty_values:
            return None
@@ -53,17 +53,27 @@ class DynamicModelChoiceField(forms.ModelChoiceField):
                else:
                    raise self.model.DoesNotExist
            except self.model.DoesNotExist:
-                try:
-                    with transaction.atomic():
-                        instance, _ = self.model.objects.update_or_create(
-                            **{self.create_field: value}
-                        )
-                        self._created_instance = instance
-                        return instance
-                except Exception as e:
+                if self.create_field:
+                    try:
+                        with transaction.atomic():
+                            # First try to get the object
+                            lookup = {self.create_field: value}
+                            try:
+                                instance = self.model.objects.get(**lookup)
+                            except self.model.DoesNotExist:
+                                # Create a new instance directly
+                                instance = self.model(**lookup)
+                                instance.save()
+
+                            self._created_instance = instance
+                            return instance
+                    except Exception as e:
+                        raise ValidationError(_("Error creating new instance"))
+                else:
                    raise ValidationError(
                        self.error_messages["invalid_choice"], code="invalid_choice"
                    )
+
        return super().clean(value)

    def bound_data(self, data, initial):
@@ -86,8 +96,6 @@ class DynamicModelMultipleChoiceField(forms.ModelMultipleChoiceField):

    def __init__(self, model, **kwargs):
        """
-        Initialize the CreateIfNotExistsModelMultipleChoiceField.
-
        Args:
            create_field (str): The name of the field to use when creating new instances.
            *args: Variable length argument list.
@@ -119,33 +127,27 @@ class DynamicModelMultipleChoiceField(forms.ModelMultipleChoiceField):
        """
        try:
            with transaction.atomic():
-                instance, _ = self.model.objects.update_or_create(
-                    **{self.create_field: value}
-                )
-            return instance
+                # Check if exists first without using update_or_create
+                lookup = {self.create_field: value}
+                try:
+                    # Use base manager to bypass distinct filters
+                    instance = self.model.objects.get(**lookup)
+                    return instance
+                except self.model.DoesNotExist:
+                    # Create a new instance directly
+                    instance = self.model(**lookup)
+                    instance.save()
+                    return instance
        except Exception as e:
            raise ValidationError(_("Error creating new instance"))

    def clean(self, value):
-        """
-        Clean and validate the field value.
-
-        This method checks if each selected choice exists in the database.
-        If a choice doesn't exist, it creates a new instance of the model.
-
-        Args:
-            value (list): List of selected values.
-
-        Returns:
-            list: A list containing all selected and newly created model instances.
-
-        Raises:
-            ValidationError: If there's an error during the cleaning process.
-        """
        if not value:
            return []

        string_values = set(str(v) for v in value)
+
+        # Get existing objects first
        existing_objects = list(
            self.queryset.filter(**{f"{self.create_field}__in": string_values})
        )
@@ -153,13 +155,11 @@ class DynamicModelMultipleChoiceField(forms.ModelMultipleChoiceField):
            str(getattr(obj, self.create_field)) for obj in existing_objects
        )

+        # Create new objects for missing values
        new_values = string_values - existing_values
        new_objects = []

        for new_value in new_values:
-            try:
-                new_objects.append(self._create_new_instance(new_value))
-            except ValidationError as e:
-                raise ValidationError(_("Error creating new instance"))
+            new_objects.append(self._create_new_instance(new_value))

        return existing_objects + new_objects
--- a/app/apps/common/fields/month_year.py
+++ b/app/apps/common/fields/month_year.py
@@ -20,7 +20,15 @@ class MonthYearModelField(models.DateField):
            # Set the day to 1
            return date.replace(day=1).date()
        except ValueError:
-            raise ValidationError(_("Invalid date format. Use YYYY-MM."))
+            try:
+                # Also accept YYYY-MM-DD format (for loaddata)
+                return (
+                    datetime.datetime.strptime(value, "%Y-%m-%d").replace(day=1).date()
+                )
+            except ValueError:
+                raise ValidationError(
+                    _("Invalid date format. Use YYYY-MM or YYYY-MM-DD.")
+                )

    def formfield(self, **kwargs):
        kwargs["widget"] = MonthYearWidget
--- a/app/apps/common/forms.py
+++ b/app/apps/common/forms.py
@@ -0,0 +1,108 @@
+from apps.common.models import SharedObject
+from apps.common.widgets.crispy.submit import NoClassSubmit
+from apps.common.widgets.tom_select import TomSelect, TomSelectMultiple
+from crispy_forms.bootstrap import FormActions
+from crispy_forms.helper import FormHelper
+from crispy_forms.layout import HTML, Div, Field, Layout, Submit
+from django import forms
+from django.contrib.auth import get_user_model
+from django.core.exceptions import ValidationError
+from django.utils.translation import gettext_lazy as _
+
+User = get_user_model()
+
+
+class SharedObjectForm(forms.Form):
+    """
+    Generic form for editing visibility and sharing settings
+    for models inheriting from SharedObject.
+    """
+
+    owner = forms.ModelChoiceField(
+        queryset=User.objects.all(),
+        required=False,
+        label=_("Owner"),
+        widget=TomSelect(clear_button=False),
+        help_text=_(
+            "The owner of this object, if empty all users can see, edit and take ownership."
+        ),
+    )
+    shared_with_users = forms.ModelMultipleChoiceField(
+        queryset=User.objects.all(),
+        required=False,
+        widget=TomSelectMultiple(clear_button=True),
+        label=_("Shared with users"),
+        help_text=_("Select users to share this object with"),
+    )
+    visibility = forms.ChoiceField(
+        choices=SharedObject.Visibility.choices,
+        required=True,
+        label=_("Visibility"),
+        widget=TomSelect(clear_button=False),
+        help_text=_(
+            "Private: Only shown for the owner and shared users. Only editable by the owner."
+            "<br/>"
+            "Public: Shown for all users. Only editable by the owner."
+        ),
+    )
+
+    class Meta:
+        fields = ["visibility", "shared_with_users"]
+
+    def __init__(self, *args, **kwargs):
+        # Get the current user to filter available sharing options
+        self.user = kwargs.pop("user", None)
+        self.instance = kwargs.pop("instance", None)
+
+        super().__init__(*args, **kwargs)
+
+        # Pre-populate shared users if instance exists
+        if self.instance:
+            self.fields["shared_with_users"].initial = self.instance.shared_with.all()
+            self.fields["visibility"].initial = self.instance.visibility
+            self.fields["owner"].initial = self.instance.owner
+
+        # Set up crispy form helper
+        self.helper = FormHelper()
+        self.helper.form_method = "post"
+        self.helper.form_tag = False
+
+        self.helper.layout = Layout(
+            Field("owner"),
+            Field("visibility"),
+            HTML('<hr class="hr my-3">'),
+            Field("shared_with_users"),
+            FormActions(
+                NoClassSubmit("submit", _("Save"), css_class="btn btn-primary"),
+            ),
+        )
+
+    def clean(self):
+        cleaned_data = super().clean()
+        owner = cleaned_data.get("owner")
+        shared_with_users = cleaned_data.get("shared_with_users", [])
+
+        # Raise validation error if owner is in shared_with_users
+        if owner and owner in shared_with_users:
+            self.add_error(
+                "shared_with_users",
+                ValidationError(
+                    _("You cannot share this item with its owner."),
+                    code="invalid_share",
+                ),
+            )
+
+        return cleaned_data
+
+    def save(self):
+        instance = self.instance
+
+        instance.visibility = self.cleaned_data["visibility"]
+        instance.owner = self.cleaned_data["owner"]
+
+        instance.save()
+
+        # Clear and set shared_with users
+        instance.shared_with.set(self.cleaned_data.get("shared_with_users", []))
+
+        return instance
--- a/app/apps/common/functions/decimals.py
+++ b/app/apps/common/functions/decimals.py
@@ -9,5 +9,8 @@ def truncate_decimal(value, decimal_places):
    :param decimal_places: The number of decimal places to keep
    :return: Truncated Decimal value
    """
+    if isinstance(value, (int, float)):
+        value = Decimal(str(value))
+
    multiplier = Decimal(10**decimal_places)
    return (value * multiplier).to_integral_value(rounding=ROUND_DOWN) / multiplier
--- a/app/apps/common/functions/format.py
+++ b/app/apps/common/functions/format.py
@@ -0,0 +1,38 @@
+from apps.common.middleware.thread_local import get_current_user
+from django.utils.formats import get_format as original_get_format
+
+
+def get_format(format_type=None, lang=None, use_l10n=None):
+    user = get_current_user()
+
+    if (
+        user
+        and user.is_authenticated
+        and hasattr(user, "settings")
+        and use_l10n is not False
+    ):
+        user_settings = user.settings
+        if format_type == "THOUSAND_SEPARATOR":
+            number_format = getattr(user_settings, "number_format", None)
+            if number_format == "DC":
+                return "."
+            elif number_format == "CD":
+                return ","
+            elif number_format == "SD" or number_format == "SC":
+                return " "
+        elif format_type == "DECIMAL_SEPARATOR":
+            number_format = getattr(user_settings, "number_format", None)
+            if number_format == "DC" or number_format == "SC":
+                return ","
+            elif number_format == "CD" or number_format == "SD":
+                return "."
+        elif format_type == "SHORT_DATE_FORMAT":
+            date_format = getattr(user_settings, "date_format", None)
+            if date_format and date_format != "SHORT_DATE_FORMAT":
+                return date_format
+        elif format_type == "SHORT_DATETIME_FORMAT":
+            datetime_format = getattr(user_settings, "datetime_format", None)
+            if datetime_format and datetime_format != "SHORT_DATETIME_FORMAT":
+                return datetime_format
+
+    return original_get_format(format_type, lang, use_l10n)
--- a/app/apps/common/management/init.py
+++ b/app/apps/common/management/init.py
--- a/app/apps/common/management/commands/init.py
+++ b/app/apps/common/management/commands/init.py
--- a/app/apps/common/management/commands/setup_users.py
+++ b/app/apps/common/management/commands/setup_users.py
@@ -0,0 +1,137 @@
+import os
+from django.core.management.base import BaseCommand, CommandError
+from django.contrib.auth import get_user_model
+from django.conf import settings
+from django.db import IntegrityError
+
+# Get the custom User model if defined, otherwise the default User model
+User = get_user_model()
+
+
+class Command(BaseCommand):
+    help = (
+        "Creates a superuser from environment variables (ADMIN_EMAIL, ADMIN_PASSWORD) "
+        "and optionally creates a demo user (demo@demo.com) if settings.DEMO is True."
+    )
+
+    def handle(self, *args, **options):
+        self.stdout.write("Starting user setup...")
+
+        # --- Create Superuser ---
+        admin_email = os.environ.get("ADMIN_EMAIL")
+        admin_password = os.environ.get("ADMIN_PASSWORD")
+
+        if admin_email and admin_password:
+            self.stdout.write(f"Attempting to create superuser: {admin_email}")
+            # Use email as username for simplicity, requires USERNAME_FIELD='email'
+            # or adapt if your USERNAME_FIELD is different.
+            # If USERNAME_FIELD is 'username', you might need ADMIN_USERNAME env var.
+            username_field = User.USERNAME_FIELD  # Get the actual username field name
+
+            # Check if the user already exists by email or username
+            user_exists_kwargs = {"email": admin_email}
+            if username_field != "email":
+                # Assume username should also be the email if not explicitly provided
+                user_exists_kwargs[username_field] = admin_email
+
+            if User.objects.filter(**user_exists_kwargs).exists():
+                self.stdout.write(
+                    self.style.WARNING(
+                        f"Superuser with email '{admin_email}' (or corresponding username) already exists. Skipping creation."
+                    )
+                )
+            else:
+                try:
+                    create_kwargs = {
+                        username_field: admin_email,  # Use email as username by default
+                        "email": admin_email,
+                        "password": admin_password,
+                    }
+                    User.objects.create_superuser(**create_kwargs)
+                    self.stdout.write(
+                        self.style.SUCCESS(
+                            f"Superuser '{admin_email}' created successfully."
+                        )
+                    )
+                except IntegrityError as e:
+                    self.stdout.write(
+                        self.style.ERROR(
+                            f"Failed to create superuser '{admin_email}'. IntegrityError: {e}"
+                        )
+                    )
+                except Exception as e:
+                    self.stdout.write(
+                        self.style.ERROR(
+                            f"An unexpected error occurred creating superuser '{admin_email}': {e}"
+                        )
+                    )
+        else:
+            self.stdout.write(
+                self.style.NOTICE(
+                    "ADMIN_EMAIL or ADMIN_PASSWORD environment variables not set. Skipping superuser creation."
+                )
+            )
+
+        self.stdout.write("---")  # Separator
+
+        # --- Create Demo User ---
+        # Use getattr to safely check for the DEMO setting, default to False if not present
+        create_demo_user = getattr(settings, "DEMO", False)
+
+        if create_demo_user:
+            demo_email = "demo@demo.com"
+            demo_password = (
+                "wygiwyhdemo"  # Consider making this an env var too for security
+            )
+            demo_username = demo_email  # Using email as username for consistency
+
+            self.stdout.write(
+                f"DEMO setting is True. Attempting to create demo user: {demo_email}"
+            )
+
+            username_field = User.USERNAME_FIELD  # Get the actual username field name
+
+            # Check if the user already exists by email or username
+            user_exists_kwargs = {"email": demo_email}
+            if username_field != "email":
+                user_exists_kwargs[username_field] = demo_username
+
+            if User.objects.filter(**user_exists_kwargs).exists():
+                self.stdout.write(
+                    self.style.WARNING(
+                        f"Demo user with email '{demo_email}' (or corresponding username) already exists. Skipping creation."
+                    )
+                )
+            else:
+                try:
+                    create_kwargs = {
+                        username_field: demo_username,
+                        "email": demo_email,
+                        "password": demo_password,
+                    }
+                    User.objects.create_user(**create_kwargs)
+                    self.stdout.write(
+                        self.style.SUCCESS(
+                            f"Demo user '{demo_email}' created successfully."
+                        )
+                    )
+                except IntegrityError as e:
+                    self.stdout.write(
+                        self.style.ERROR(
+                            f"Failed to create demo user '{demo_email}'. IntegrityError: {e}"
+                        )
+                    )
+                except Exception as e:
+                    self.stdout.write(
+                        self.style.ERROR(
+                            f"An unexpected error occurred creating demo user '{demo_email}': {e}"
+                        )
+                    )
+        else:
+            self.stdout.write(
+                self.style.NOTICE(
+                    "DEMO setting is not True (or not set). Skipping demo user creation."
+                )
+            )
+
+        self.stdout.write(self.style.SUCCESS("User setup command finished."))
--- a/app/apps/common/middleware/localization.py
+++ b/app/apps/common/middleware/localization.py
@@ -1,14 +1,17 @@
 import zoneinfo

+from django.utils import formats
 from django.utils import timezone, translation
-from django.utils.translation import activate
+from django.utils.functional import lazy

+from apps.common.functions.format import get_format as custom_get_format
 from apps.users.models import UserSettings


 class LocalizationMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response
+        self.patch_get_format()

    def __call__(self, request):
        tz = request.COOKIES.get("mytz")
@@ -33,9 +36,14 @@ class LocalizationMiddleware:
            timezone.activate(zoneinfo.ZoneInfo("UTC"))

        if user_language and user_language != "auto":
-            activate(user_language)
+            translation.activate(user_language)
        else:
            detected_language = translation.get_language_from_request(request)
-            activate(detected_language)
+            translation.activate(detected_language)

        return self.get_response(request)
+
+    @staticmethod
+    def patch_get_format():
+        formats.get_format = custom_get_format
+        formats.get_format_lazy = lazy(custom_get_format, str, list, tuple)
--- a/app/apps/common/middleware/thread_local.py
+++ b/app/apps/common/middleware/thread_local.py
@@ -0,0 +1,83 @@
+"""
+    threadlocals middleware
+    ~~~~~~~~~~~~~~~~~~~~~~~
+
+    make the request object everywhere available (e.g. in model instance).
+
+    based on: http://code.djangoproject.com/wiki/CookBookThreadlocalsAndUser
+
+    Put this into your settings:
+    --------------------------------------------------------------------------
+        MIDDLEWARE_CLASSES = (
+            ...
+            'django_tools.middlewares.ThreadLocal.ThreadLocalMiddleware',
+            ...
+        )
+    --------------------------------------------------------------------------
+
+
+    Usage:
+    --------------------------------------------------------------------------
+    from django_tools.middlewares import ThreadLocal
+
+    # Get the current request object:
+    request = ThreadLocal.get_current_request()
+
+    # You can get the current user directly with:
+    user = ThreadLocal.get_current_user()
+    --------------------------------------------------------------------------
+
+    :copyleft: 2009-2017 by the django-tools team, see AUTHORS for more details.
+    :license: GNU GPL v3 or above, see LICENSE for more details.
+"""
+
+try:
+    from threading import local
+except ImportError:
+    from django.utils._threading_local import local
+
+try:
+    from django.utils.deprecation import MiddlewareMixin
+except ImportError:
+    MiddlewareMixin = object  # fallback for Django < 1.10
+
+
+_thread_locals = local()
+
+
+def get_current_request():
+    """returns the request object for this thread"""
+    return getattr(_thread_locals, "request", None)
+
+
+def get_current_user():
+    """returns the current user, if exist, otherwise returns None"""
+    request = get_current_request()
+    if request:
+        return getattr(request, "user", None)
+
+    return getattr(_thread_locals, "user", None)
+
+
+def write_current_user(user):
+    _thread_locals.user = user
+
+
+def delete_current_user():
+    del _thread_locals.user
+
+
+class ThreadLocalMiddleware(MiddlewareMixin):
+    """Simple middleware that adds the request object in thread local storage."""
+
+    def process_request(self, request):
+        _thread_locals.request = request
+
+    def process_response(self, request, response):
+        if hasattr(_thread_locals, "request"):
+            del _thread_locals.request
+        return response
+
+    def process_exception(self, request, exception):
+        if hasattr(_thread_locals, "request"):
+            del _thread_locals.request
--- a/app/apps/common/models.py
+++ b/app/apps/common/models.py
@@ -0,0 +1,103 @@
+from django.db import models
+from django.conf import settings
+from django.db.models import Q
+from django.utils.translation import gettext_lazy as _
+
+from apps.common.middleware.thread_local import get_current_user
+
+
+class SharedObjectManager(models.Manager):
+    def get_queryset(self):
+        """Return only objects the user can access"""
+        user = get_current_user()
+        base_qs = super().get_queryset()
+
+        if user and user.is_authenticated:
+            return base_qs.filter(
+                Q(visibility="public")
+                | Q(owner=user)
+                | Q(shared_with=user)
+                | Q(visibility="private", owner=None)
+            ).distinct()
+
+        return base_qs.filter(visibility="public")
+
+
+class SharedObject(models.Model):
+    # Access control enum
+    class Visibility(models.TextChoices):
+        private = "private", _("Private")
+        is_paid = "public", _("Public")
+
+    # Core sharing fields
+    owner = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.CASCADE,
+        related_name="%(class)s_owned",
+        null=True,
+        blank=True,
+        verbose_name=_("Owner"),
+    )
+    visibility = models.CharField(
+        max_length=10,
+        choices=Visibility.choices,
+        default=Visibility.private,
+        verbose_name=_("Visibility"),
+    )
+    shared_with = models.ManyToManyField(
+        settings.AUTH_USER_MODEL,
+        related_name="%(class)s_shared",
+        blank=True,
+        verbose_name=_("Shared with users"),
+    )
+
+    # Use as abstract base class
+    class Meta:
+        abstract = True
+        indexes = [
+            models.Index(fields=["visibility"]),
+        ]
+
+    def is_accessible_by(self, user):
+        """Check if a user can access this object"""
+        return (
+            self.visibility == "public"
+            or self.owner == user
+            or (self.visibility == "shared" and user in self.shared_with.all())
+        )
+
+    def save(self, *args, **kwargs):
+        if not self.pk and not self.owner:
+            self.owner = get_current_user()
+        super().save(*args, **kwargs)
+
+
+class OwnedObjectManager(models.Manager):
+    def get_queryset(self):
+        """Return only objects the user can access"""
+        user = get_current_user()
+        base_qs = super().get_queryset()
+
+        if user and user.is_authenticated:
+            return base_qs.filter(Q(owner=user) | Q(owner=None)).distinct()
+
+        return base_qs
+
+
+class OwnedObject(models.Model):
+    owner = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.CASCADE,
+        related_name="%(class)s_owned",
+        null=True,
+        blank=True,
+    )
+
+    # Use as abstract base class
+    class Meta:
+        abstract = True
+
+    def save(self, *args, **kwargs):
+        if not self.pk and not self.owner:
+            self.owner = get_current_user()
+        super().save(*args, **kwargs)
--- a/app/apps/common/procrastinate.py
+++ b/app/apps/common/procrastinate.py
@@ -0,0 +1,6 @@
+import procrastinate
+
+
+def on_app_ready(app: procrastinate.App):
+    """This function is ran upon procrastinate initialization."""
+    ...
--- a/app/apps/common/tasks.py
+++ b/app/apps/common/tasks.py
@@ -1,20 +1,34 @@
 import logging
+from packaging.version import parse as parse_version, InvalidVersion
+
+from asgiref.sync import sync_to_async
+from django.conf import settings
+from django.core import management
+from django.db import DEFAULT_DB_ALIAS
+from django.core.cache import cache

 from procrastinate import builtin_tasks
 from procrastinate.contrib.django import app

+import requests
+

 logger = logging.getLogger(__name__)


@app.periodic(cron="0 4 * * *")
-@app.task(queueing_lock="remove_old_jobs", pass_context=True)
+@app.task(
+    lock="remove_old_jobs",
+    queueing_lock="remove_old_jobs",
+    pass_context=True,
+    name="remove_old_jobs",
+)
 async def remove_old_jobs(context, timestamp):
    try:
        return await builtin_tasks.remove_old_jobs(
            context,
            max_hours=744,
-            remove_error=True,
+            remove_failed=True,
            remove_cancelled=True,
            remove_aborted=True,
        )
@@ -24,3 +38,101 @@ async def remove_old_jobs(context, timestamp):
            exc_info=True,
        )
        raise e
+
+
+@app.periodic(cron="0 6 1 * *")
+@app.task(
+    lock="remove_expired_sessions",
+    queueing_lock="remove_expired_sessions",
+    name="remove_expired_sessions",
+)
+async def remove_expired_sessions(timestamp=None):
+    """Cleanup expired sessions by using Django management command."""
+    try:
+        await sync_to_async(management.call_command)("clearsessions", verbosity=0)
+    except Exception:
+        logger.error(
+            "Error while executing 'remove_expired_sessions' task",
+            exc_info=True,
+        )
+
+
+@app.periodic(cron="0 8 * * *")
+@app.task(lock="reset_demo_data", name="reset_demo_data")
+def reset_demo_data(timestamp=None):
+    """
+    Wipes the database and loads fresh demo data if DEMO mode is active.
+    Runs daily at 8:00 AM.
+    """
+    if not settings.DEMO:
+        return  # Exit if not in demo mode
+
+    logger.info("Demo mode active. Starting daily data reset...")
+
+    try:
+        # 1. Flush the database (wipe all data)
+        logger.info("Flushing the database...")
+
+        management.call_command(
+            "flush", "--noinput", database=DEFAULT_DB_ALIAS, verbosity=1
+        )
+        logger.info("Database flushed successfully.")
+
+        # 2. Load data from the fixture
+        # TO-DO: Roll dates over based on today's date
+        fixture_name = "fixtures/demo_data.json"
+        logger.info(f"Loading data from fixture: {fixture_name}...")
+        management.call_command(
+            "loaddata", fixture_name, database=DEFAULT_DB_ALIAS, verbosity=1
+        )
+        logger.info(f"Data loaded successfully from {fixture_name}.")
+
+        logger.info("Daily demo data reset completed.")
+
+    except Exception as e:
+        logger.exception(f"Error during daily demo data reset: {e}")
+        raise
+
+
+@app.periodic(cron="0 */12 * * *")  # Every 12 hours
+@app.task(lock="check_for_updates", name="check_for_updates")
+def check_for_updates(timestamp=None):
+    if not settings.CHECK_FOR_UPDATES:
+        return "CHECK_FOR_UPDATES is disabled"
+
+    url = "https://api.github.com/repos/eitchtee/WYGIWYH/releases/latest"
+
+    try:
+        response = requests.get(url, timeout=60)
+        response.raise_for_status()  # Raise an exception for bad status codes (4xx or 5xx)
+
+        data = response.json()
+        latest_version = data.get("tag_name")
+
+        if latest_version:
+            try:
+                current_v = parse_version(settings.APP_VERSION)
+            except InvalidVersion:
+                current_v = parse_version("0.0.0")
+            try:
+                latest_v = parse_version(latest_version)
+            except InvalidVersion:
+                latest_v = parse_version("0.0.0")
+
+            update_info = {
+                "update_available": False,
+                "current_version": str(current_v),
+                "latest_version": str(latest_v),
+            }
+
+            if latest_v > current_v:
+                update_info["update_available"] = True
+
+            # Cache the entire dictionary
+            cache.set("update_check", update_info, 60 * 60 * 25)
+            logger.info(f"Update check complete. Result: {update_info}")
+        else:
+            logger.warning("Could not find 'tag_name' in GitHub API response.")
+
+    except requests.exceptions.RequestException as e:
+        logger.error(f"Failed to fetch updates from GitHub: {e}")
--- a/app/apps/common/templatetags/cache_access.py
+++ b/app/apps/common/templatetags/cache_access.py
@@ -0,0 +1,17 @@
+# core/templatetags/update_tags.py
+from django import template
+from django.core.cache import cache
+
+register = template.Library()
+
+
+@register.simple_tag
+def get_update_check():
+    """
+    Retrieves the update status dictionary from the cache.
+    Returns a default dictionary if nothing is found.
+    """
+    return cache.get("update_check") or {
+        "update_available": False,
+        "latest_version": "N/A",
+    }
--- a/app/apps/common/templatetags/crispy_extra.py
+++ b/app/apps/common/templatetags/crispy_extra.py
@@ -0,0 +1,13 @@
+from django import forms, template
+
+register = template.Library()
+
+
+@register.filter
+def is_input(field):
+    return isinstance(field.field.widget, forms.TextInput)
+
+
+@register.filter
+def is_textarea(field):
+    return isinstance(field.field.widget, forms.Textarea)
--- a/app/apps/common/templatetags/date.py
+++ b/app/apps/common/templatetags/date.py
@@ -1,32 +0,0 @@
-from django import template
-from django.template.defaultfilters import date as date_filter
-from django.utils import formats, timezone
-
-register = template.Library()
-
-
-@register.filter
-def custom_date(value, user=None):
-    if not value:
-        return ""
-
-    # Determine if the value is a datetime or just a date
-    is_datetime = hasattr(value, "hour")
-
-    # Convert to current timezone if it's a datetime
-    if is_datetime and timezone.is_aware(value):
-        value = timezone.localtime(value)
-
-    if user and user.is_authenticated:
-        user_settings = user.settings
-
-        if is_datetime:
-            format_setting = user_settings.datetime_format
-        else:
-            format_setting = user_settings.date_format
-
-        return formats.date_format(value, format_setting, use_l10n=True)
-
-    return date_filter(
-        value, "SHORT_DATE_FORMAT" if not is_datetime else "SHORT_DATETIME_FORMAT"
-    )
--- a/app/apps/common/templatetags/formats.py
+++ b/app/apps/common/templatetags/formats.py
@@ -1,6 +1,6 @@
 from django import template
-from django.utils.formats import get_format

+from apps.common.functions.format import get_format

 register = template.Library()

--- a/app/apps/common/templatetags/markdown.py
+++ b/app/apps/common/templatetags/markdown.py
@@ -0,0 +1,52 @@
+from typing import Optional
+
+import mistune
+from django import template
+from django.utils.safestring import mark_safe
+from mistune import HTMLRenderer, Markdown, BlockParser, InlineParser, safe_entity
+from mistune.plugins.formatting import strikethrough as plugin_strikethrough
+from mistune.plugins.url import url as plugin_url
+
+
+register = template.Library()
+
+
+class CustomRenderer(HTMLRenderer):
+    def link(self, text: str, url: str, title: Optional[str] = None) -> str:
+        s = '<a rel="nofollow" target="_blank" href="' + self.safe_url(url) + '"'
+        if title:
+            s += ' title="' + safe_entity(title) + '"'
+        return s + ">" + text + "</a>"
+
+    def paragraph(self, text: str) -> str:
+        return text + "\n"
+
+    def softbreak(self) -> str:
+        return "\n"
+
+    def blank_line(self) -> str:
+        return "\n"
+
+
+block = BlockParser()
+block.rules = ["blank_line"]
+inline = InlineParser(hard_wrap=False)
+inline.rules = [
+    "emphasis",
+    "link",
+    "auto_link",
+    "auto_email",
+    "linebreak",
+    "softbreak",
+]
+markdown = Markdown(
+    renderer=CustomRenderer(escape=False),
+    block=block,
+    inline=inline,
+    plugins=[plugin_strikethrough, plugin_url],
+)
+
+
+@register.filter(name="limited_markdown")
+def limited_markdown(value):
+    return mark_safe(markdown(value))
--- a/app/apps/common/templatetags/settings.py
+++ b/app/apps/common/templatetags/settings.py
@@ -0,0 +1,9 @@
+from django import template
+from django.conf import settings
+
+register = template.Library()
+
+
+@register.simple_tag(name="settings")
+def settings_value(name):
+    return getattr(settings, name, "")
--- a/app/apps/common/templatetags/toast_bg.py
+++ b/app/apps/common/templatetags/toast_bg.py
@@ -11,7 +11,7 @@ def toast_bg(tags):
    elif "warning" in tags:
        return "warning"
    elif "error" in tags:
-        return "danger"
+        return "error"
    elif "info" in tags:
        return "info"

--- a/app/apps/common/urls.py
+++ b/app/apps/common/urls.py
@@ -13,4 +13,9 @@ urlpatterns = [
        views.month_year_picker,
        name="month_year_picker",
    ),
+    path(
+        "cache/invalidate/",
+        views.invalidate_cache,
+        name="invalidate_cache",
+    ),
 ]
--- a/app/apps/common/utils/django.py
+++ b/app/apps/common/utils/django.py
@@ -35,7 +35,7 @@ def django_to_python_datetime(django_format):
 def django_to_airdatepicker_datetime(django_format):
    format_map = {
        # Time
-        "h": "h",  # Hour (12-hour)
+        "h": "hh",  # Hour (12-hour)
        "H": "H",  # Hour (24-hour)
        "i": "m",  # Minutes
        "A": "AA",  # AM/PM uppercase
@@ -76,7 +76,7 @@ def django_to_airdatepicker_datetime(django_format):
 def django_to_airdatepicker_datetime_separated(django_format):
    format_map = {
        # Time formats
-        "h": "hH",  # Hour (12-hour)
+        "h": "hh",  # Hour (12-hour)
        "H": "HH",  # Hour (24-hour)
        "i": "mm",  # Minutes
        "A": "AA",  # AM/PM uppercase
--- a/app/apps/common/views.py
+++ b/app/apps/common/views.py
@@ -1,17 +1,33 @@
 from dateutil.relativedelta import relativedelta
+
+from django.contrib import messages
+from django.contrib.auth.decorators import login_required
 from django.db.models import Count
 from django.db.models.functions import ExtractYear, ExtractMonth
+from django.http import HttpResponse
 from django.shortcuts import render
 from django.urls import reverse
 from django.utils import timezone
+from django.views.decorators.http import require_http_methods
+from django.utils.translation import gettext_lazy as _

+from cachalot.api import invalidate
+
+from apps.common.decorators.htmx import only_htmx
 from apps.transactions.models import Transaction
+from apps.common.decorators.user import htmx_login_required


+@only_htmx
+@htmx_login_required
+@require_http_methods(["GET"])
 def toasts(request):
    return render(request, "common/fragments/toasts.html")


+@only_htmx
+@login_required
+@require_http_methods(["GET"])
 def month_year_picker(request):
    field = request.GET.get("field", "reference_date")
    for_ = request.GET.get("for", None)
@@ -75,6 +91,12 @@ def month_year_picker(request):
        for date in all_months
    ]

+    today_url = (
+        reverse(url, kwargs={"month": current_date.month, "year": current_date.year})
+        if url
+        else ""
+    )
+
    return render(
        request,
        "common/fragments/month_year_picker.html",
@@ -82,5 +104,22 @@ def month_year_picker(request):
            "month_year_data": result,
            "current_month": current_month,
            "current_year": current_year,
+            "today_url": today_url,
+        },
+    )
+
+
+@only_htmx
+@login_required
+@require_http_methods(["GET"])
+def invalidate_cache(request):
+    invalidate()
+
+    messages.success(request, _("Cache cleared successfully"))
+
+    return HttpResponse(
+        status=204,
+        headers={
+            "HX-Trigger": "updated",
        },
    )
--- a/app/apps/common/widgets/crispy/daisyui.py
+++ b/app/apps/common/widgets/crispy/daisyui.py
@@ -0,0 +1,5 @@
+from crispy_forms.layout import Field
+
+
+class Switch(Field):
+    template = "crispy-daisyui/layout/switch.html"
--- a/app/apps/common/widgets/datepicker.py
+++ b/app/apps/common/widgets/datepicker.py
@@ -1,15 +1,14 @@
 import datetime

-from django.forms import widgets
-from django.utils import formats, translation, dates
-from django.utils.formats import get_format
-from django.utils.translation import gettext_lazy as _
-
+from apps.common.functions.format import get_format
 from apps.common.utils.django import (
-    django_to_python_datetime,
    django_to_airdatepicker_datetime,
    django_to_airdatepicker_datetime_separated,
+    django_to_python_datetime,
 )
+from django.forms import widgets
+from django.utils import dates, formats, translation
+from django.utils.translation import gettext_lazy as _


 class AirDatePickerInput(widgets.DateInput):
@@ -19,21 +18,27 @@ class AirDatePickerInput(widgets.DateInput):
        format=None,
        clear_button=True,
        auto_close=True,
-        user=None,
+        read_only=True,
+        toggle_selected=None,
        *args,
        **kwargs,
    ):
        attrs = attrs or {}
-        self.user = user
        super().__init__(attrs=attrs, format=format, *args, **kwargs)
        self.clear_button = clear_button
        self.auto_close = auto_close
+        self.read_only = read_only
+        self.toggle_selected = (
+            toggle_selected if isinstance(toggle_selected, bool) else self.clear_button
+        )

    @staticmethod
    def _get_current_language():
        """Get current language code in format compatible with AirDatepicker"""
        lang_code = translation.get_language()
-        # AirDatepicker uses simple language codes
+        # AirDatepicker uses simple language codes, except for pt-br
+        if lang_code.lower() == "pt-br":
+            return "pt-BR"
        return lang_code.split("-")[0]

    def _get_format(self):
@@ -41,23 +46,23 @@ class AirDatePickerInput(widgets.DateInput):
        if self.format:
            return self.format

-        if self.user and hasattr(self.user, "settings"):
-            user_format = self.user.settings.date_format
-            if user_format == "SHORT_DATE_FORMAT":
-                return get_format("SHORT_DATE_FORMAT", use_l10n=True)
-            return user_format
-
        return get_format("SHORT_DATE_FORMAT", use_l10n=True)

    def build_attrs(self, base_attrs, extra_attrs=None):
        attrs = super().build_attrs(base_attrs, extra_attrs)

+        attrs["class"] = attrs.get("class", "") + " input"
+
        attrs["data-now-button-txt"] = _("Today")
        attrs["data-auto-close"] = str(self.auto_close).lower()
        attrs["data-clear-button"] = str(self.clear_button).lower()
+        attrs["data-toggle-selected"] = str(self.toggle_selected).lower()
        attrs["data-language"] = self._get_current_language()
        attrs["data-date-format"] = django_to_airdatepicker_datetime(self._get_format())

+        if self.read_only:
+            attrs["readonly"] = True
+
        return attrs

    def format_value(self, value):
@@ -97,16 +102,20 @@ class AirDateTimePickerInput(widgets.DateTimeInput):
        timepicker=True,
        clear_button=True,
        auto_close=True,
-        user=None,
+        read_only=True,
+        toggle_selected=None,
        *args,
        **kwargs,
    ):
        attrs = attrs or {}
-        self.user = user
        super().__init__(attrs=attrs, format=format, *args, **kwargs)
        self.timepicker = timepicker
        self.clear_button = clear_button
        self.auto_close = auto_close
+        self.read_only = read_only
+        self.toggle_selected = (
+            toggle_selected if isinstance(toggle_selected, bool) else self.clear_button
+        )

    @staticmethod
    def _get_current_language():
@@ -120,12 +129,6 @@ class AirDateTimePickerInput(widgets.DateTimeInput):
        if self.format:
            return self.format

-        if self.user and hasattr(self.user, "settings"):
-            user_format = self.user.settings.datetime_format
-            if user_format == "SHORT_DATETIME_FORMAT":
-                return get_format("SHORT_DATETIME_FORMAT", use_l10n=True)
-            return user_format
-
        return get_format("SHORT_DATETIME_FORMAT", use_l10n=True)

    def build_attrs(self, base_attrs, extra_attrs=None):
@@ -139,18 +142,27 @@ class AirDateTimePickerInput(widgets.DateTimeInput):
        attrs["data-now-button-txt"] = _("Now")
        attrs["data-timepicker"] = str(self.timepicker).lower()
        attrs["data-auto-close"] = str(self.auto_close).lower()
+        attrs["data-toggle-selected"] = str(self.toggle_selected).lower()
        attrs["data-clear-button"] = str(self.clear_button).lower()
        attrs["data-language"] = self._get_current_language()
        attrs["data-date-format"] = date_format
        attrs["data-time-format"] = time_format

+        if self.read_only:
+            attrs["readonly"] = True
+
        return attrs

    def format_value(self, value):
        """Format the value for display in the widget."""
-        if value:
+        if value and isinstance(value, (datetime.date, datetime.datetime)):
            self.attrs["data-value"] = datetime.datetime.strftime(
-                value, "%Y-%m-%d %H:%M:00"
+                value, "%Y-%m-%dT%H:%M:00"
+            )
+        elif value and isinstance(value, str):
+            value = datetime.datetime.strptime(value, "%Y-%m-%d %H:%M:00")
+            self.attrs["data-value"] = datetime.datetime.strftime(
+                value, "%Y-%m-%dT%H:%M:00"
            )

        if value is None:
@@ -195,6 +207,7 @@ class AirMonthYearPickerInput(AirDatePickerInput):

        # Add data attributes for AirDatepicker configuration
        attrs["data-now-button-txt"] = _("Today")
+        attrs["data-date-format"] = "MMMM yyyy"

        return attrs

@@ -237,3 +250,56 @@ class AirMonthYearPickerInput(AirDatePickerInput):
            except (ValueError, KeyError):
                return None
        return None
+
+
+class AirYearPickerInput(AirDatePickerInput):
+    def __init__(self, attrs=None, format=None, *args, **kwargs):
+        super().__init__(attrs=attrs, format=format, *args, **kwargs)
+        # Store the display format for AirDatepicker
+        self.display_format = "yyyy"
+        # Store the Python format for internal use
+        self.python_format = "%Y"
+
+    def build_attrs(self, base_attrs, extra_attrs=None):
+        attrs = super().build_attrs(base_attrs, extra_attrs)
+
+        # Add data attributes for AirDatepicker configuration
+        attrs["data-now-button-txt"] = _("Today")
+        attrs["data-date-format"] = "yyyy"
+
+        return attrs
+
+    def format_value(self, value):
+        """Format the value for display in the widget."""
+        if value:
+            self.attrs["data-value"] = (
+                value  # We use this to dynamically select the initial date on AirDatePicker
+            )
+
+        if value is None:
+            return ""
+        if isinstance(value, str):
+            try:
+                value = datetime.datetime.strptime(value, "%Y-%m-%d").date()
+            except ValueError:
+                return value
+        if isinstance(value, (datetime.datetime, datetime.date)):
+            # Use Django's date translation
+            return f"{value.year}"
+        return value
+
+    def value_from_datadict(self, data, files, name):
+        """Convert the value from the widget format back to a format Django can handle."""
+        value = super().value_from_datadict(data, files, name)
+        if value:
+            try:
+                # Split the value into month name and year
+                year_str = value
+                year = int(year_str)
+
+                if year:
+                    # Return the first day of the month in Django's expected format
+                    return datetime.date(year, 1, 1).strftime("%Y-%m-%d")
+            except (ValueError, KeyError):
+                return None
+        return None
--- a/app/apps/common/widgets/decimal.py
+++ b/app/apps/common/widgets/decimal.py
@@ -1,7 +1,9 @@
 from decimal import Decimal, InvalidOperation

 from django import forms
-from django.utils.formats import get_format, number_format
+from django.utils.formats import number_format
+
+from apps.common.functions.format import get_format


 def convert_to_decimal(value: str):
@@ -33,8 +35,8 @@ class ArbitraryDecimalDisplayNumberInput(forms.TextInput):
        self.attrs.update(
            {
                "x-data": "",
-                "x-mask:dynamic": f"$money($input, '{get_format('DECIMAL_SEPARATOR')}', "
-                f"'{get_format('THOUSAND_SEPARATOR')}', '30')",
+                "x-mask:dynamic": f"$money($input, '{get_format('DECIMAL_SEPARATOR')}', '{get_format('THOUSAND_SEPARATOR')}', '30')",
+                "x-on:keyup": "if (!['Control', 'Shift', 'Alt', 'Meta'].includes($event.key) && !(($event.ctrlKey || $event.metaKey) && $event.key.toLowerCase() === 'a')) $el.dispatchEvent(new Event('input'))",
            }
        )

--- a/app/apps/common/widgets/tom_select.py
+++ b/app/apps/common/widgets/tom_select.py
@@ -1,4 +1,5 @@
-from django.forms import widgets, SelectMultiple
+from django.forms import SelectMultiple, widgets
+from django.urls import reverse
 from django.utils.translation import gettext_lazy as _


@@ -16,7 +17,7 @@ class TomSelect(widgets.Select):
        checkboxes=False,
        group_by=None,
        *args,
-        **kwargs
+        **kwargs,
    ):
        super().__init__(attrs, *args, **kwargs)
        self.remove_button = remove_button
@@ -129,3 +130,28 @@ class TomSelect(widgets.Select):

 class TomSelectMultiple(SelectMultiple, TomSelect):
    pass
+
+
+class TransactionSelect(TomSelect):
+    def __init__(self, income: bool = True, expense: bool = True, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        self.load_income = income
+        self.load_expense = expense
+        self.create = False
+
+    def build_attrs(self, base_attrs, extra_attrs=None):
+        attrs = super().build_attrs(base_attrs, extra_attrs)
+
+        if self.load_income and self.load_expense:
+            attrs["data-load"] = reverse("transactions_search")
+        elif self.load_income and not self.load_expense:
+            attrs["data-load"] = reverse(
+                "transactions_search", kwargs={"filter_type": "income"}
+            )
+        elif self.load_expense and not self.load_income:
+            attrs["data-load"] = reverse(
+                "transactions_search", kwargs={"filter_type": "expenses"}
+            )
+
+        return attrs
--- a/app/apps/currencies/admin.py
+++ b/app/apps/currencies/admin.py
@@ -1,6 +1,6 @@
 from django.contrib import admin

-from apps.currencies.models import Currency, ExchangeRate
+from apps.currencies.models import Currency, ExchangeRate, ExchangeRateService


@admin.register(Currency)
@@ -11,4 +11,19 @@ class CurrencyAdmin(admin.ModelAdmin):
        return super().formfield_for_dbfield(db_field, request, **kwargs)


+@admin.register(ExchangeRateService)
+class ExchangeRateServiceAdmin(admin.ModelAdmin):
+    list_display = [
+        "name",
+        "service_type",
+        "is_active",
+        "interval_type",
+        "fetch_interval",
+        "last_fetch",
+    ]
+    list_filter = ["is_active", "service_type"]
+    search_fields = ["name"]
+    filter_horizontal = ["target_currencies"]
+
+
 admin.site.register(ExchangeRate)
--- a/app/apps/currencies/exchange_rates/init.py
+++ b/app/apps/currencies/exchange_rates/init.py
--- a/app/apps/currencies/exchange_rates/base.py
+++ b/app/apps/currencies/exchange_rates/base.py
@@ -0,0 +1,30 @@
+from abc import ABC, abstractmethod
+from decimal import Decimal
+from typing import List, Tuple, Optional
+from django.db.models import QuerySet
+
+from apps.currencies.models import Currency
+
+
+class ExchangeRateProvider(ABC):
+    rates_inverted = False
+
+    def __init__(self, api_key: Optional[str] = None):
+        self.api_key = api_key
+
+    @abstractmethod
+    def get_rates(
+        self, target_currencies: QuerySet, exchange_currencies: set
+    ) -> List[Tuple[Currency, Currency, Decimal]]:
+        """Fetch exchange rates for multiple currency pairs"""
+        raise NotImplementedError("Subclasses must implement get_rates method")
+
+    @classmethod
+    def requires_api_key(cls) -> bool:
+        """Return True if the service requires an API key"""
+        return True
+
+    @staticmethod
+    def invert_rate(rate: Decimal) -> Decimal:
+        """Invert the given rate."""
+        return Decimal("1") / rate
--- a/app/apps/currencies/exchange_rates/fetcher.py
+++ b/app/apps/currencies/exchange_rates/fetcher.py
@@ -0,0 +1,266 @@
+import logging
+
+from django.db.models import QuerySet
+from django.utils import timezone
+
+import apps.currencies.exchange_rates.providers as providers
+from apps.currencies.models import ExchangeRateService, ExchangeRate, Currency
+
+logger = logging.getLogger(__name__)
+
+
+# Map service types to provider classes
+PROVIDER_MAPPING = {
+    "coingecko_free": providers.CoinGeckoFreeProvider,
+    "coingecko_pro": providers.CoinGeckoProProvider,
+    "transitive": providers.TransitiveRateProvider,
+    "frankfurter": providers.FrankfurterProvider,
+    "twelvedata": providers.TwelveDataProvider,
+    "twelvedatamarkets": providers.TwelveDataMarketsProvider,
+}
+
+
+class ExchangeRateFetcher:
+    def _should_fetch_at_hour(service: ExchangeRateService, current_hour: int) -> bool:
+        """Check if service should fetch rates at given hour based on interval type."""
+        try:
+            if service.interval_type == ExchangeRateService.IntervalType.NOT_ON:
+                blocked_hours = ExchangeRateService._parse_hour_ranges(
+                    service.fetch_interval
+                )
+                should_fetch = current_hour not in blocked_hours
+                logger.info(
+                    f"NOT_ON check for {service.name}: "
+                    f"current_hour={current_hour}, "
+                    f"blocked_hours={blocked_hours}, "
+                    f"should_fetch={should_fetch}"
+                )
+                return should_fetch
+
+            if service.interval_type == ExchangeRateService.IntervalType.ON:
+                allowed_hours = ExchangeRateService._parse_hour_ranges(
+                    service.fetch_interval
+                )
+
+                should_fetch = current_hour in allowed_hours
+
+                logger.info(
+                    f"ON check for {service.name}: "
+                    f"current_hour={current_hour}, "
+                    f"allowed_hours={allowed_hours}, "
+                    f"should_fetch={should_fetch}"
+                )
+
+                return should_fetch
+
+            if service.interval_type == ExchangeRateService.IntervalType.EVERY:
+                try:
+                    interval_hours = int(service.fetch_interval)
+
+                    if service.last_fetch is None:
+                        return True
+
+                    # Round down to nearest hour
+                    now = timezone.now().replace(minute=0, second=0, microsecond=0)
+                    last_fetch = service.last_fetch.replace(
+                        minute=0, second=0, microsecond=0
+                    )
+
+                    hours_since_last = (now - last_fetch).total_seconds() / 3600
+                    should_fetch = hours_since_last >= interval_hours
+
+                    logger.info(
+                        f"EVERY check for {service.name}: "
+                        f"hours_since_last={hours_since_last:.1f}, "
+                        f"interval={interval_hours}, "
+                        f"should_fetch={should_fetch}"
+                    )
+                    return should_fetch
+                except ValueError:
+                    logger.error(
+                        f"Invalid EVERY interval format for {service.name}: "
+                        f"expected single number, got '{service.fetch_interval}'"
+                    )
+                    return False
+
+            return False
+
+        except ValueError as e:
+            logger.error(f"Error parsing fetch_interval for {service.name}: {e}")
+            return False
+
+    @staticmethod
+    def fetch_due_rates(force: bool = False) -> None:
+        """
+        Fetch rates for all services that are due for update.
+        Args:
+            force (bool): If True, fetches all active services regardless of their schedule.
+        """
+        services = ExchangeRateService.objects.filter(is_active=True)
+        current_time = timezone.now().astimezone()
+        current_hour = current_time.hour
+
+        for service in services:
+            try:
+                if force:
+                    logger.info(f"Force fetching rates for {service.name}")
+                    ExchangeRateFetcher._fetch_service_rates(service)
+                    continue
+
+                # Check if service should fetch based on interval type
+                if ExchangeRateFetcher._should_fetch_at_hour(service, current_hour):
+                    logger.info(
+                        f"Fetching rates for {service.name}. "
+                        f"Last fetch: {service.last_fetch}, "
+                        f"Interval type: {service.interval_type}, "
+                        f"Current hour: {current_hour}"
+                    )
+                    ExchangeRateFetcher._fetch_service_rates(service)
+                else:
+                    logger.debug(
+                        f"Skipping {service.name}. "
+                        f"Current hour: {current_hour}, "
+                        f"Interval type: {service.interval_type}, "
+                        f"Fetch interval: {service.fetch_interval}"
+                    )
+
+            except Exception as e:
+                logger.error(f"Error checking fetch schedule for {service.name}: {e}")
+
+    @staticmethod
+    def _get_unique_currency_pairs(
+        service: ExchangeRateService,
+    ) -> tuple[QuerySet, set]:
+        """
+        Get unique currency pairs from both target_currencies and target_accounts
+        Returns a tuple of (target_currencies QuerySet, exchange_currencies set)
+        """
+        # Get currencies from target_currencies
+        target_currencies = set(service.target_currencies.all())
+
+        # Add currencies from target_accounts
+        for account in service.target_accounts.all():
+            if account.currency and account.exchange_currency:
+                target_currencies.add(account.currency)
+
+        # Convert back to QuerySet for compatibility with existing code
+        target_currencies_qs = Currency.objects.filter(
+            id__in=[curr.id for curr in target_currencies]
+        )
+
+        # Get unique exchange currencies
+        exchange_currencies = set()
+
+        # From target_currencies
+        for currency in target_currencies:
+            if currency.exchange_currency:
+                exchange_currencies.add(currency.exchange_currency)
+
+        # From target_accounts
+        for account in service.target_accounts.all():
+            if account.exchange_currency:
+                exchange_currencies.add(account.exchange_currency)
+
+        return target_currencies_qs, exchange_currencies
+
+    @staticmethod
+    def _fetch_service_rates(service: ExchangeRateService) -> None:
+        """Fetch rates for a specific service"""
+        try:
+            provider = service.get_provider()
+
+            # Check if API key is required but missing
+            if provider.requires_api_key() and not service.api_key:
+                logger.error(f"API key required but not provided for {service.name}")
+                return
+
+            # Get unique currency pairs from both sources
+            target_currencies, exchange_currencies = (
+                ExchangeRateFetcher._get_unique_currency_pairs(service)
+            )
+
+            # Skip if no currencies to process
+            if not target_currencies or not exchange_currencies:
+                logger.info(f"No currency pairs to process for service {service.name}")
+                return
+
+            rates = provider.get_rates(target_currencies, exchange_currencies)
+
+            # Track processed currency pairs to avoid duplicates
+            processed_pairs = set()
+
+            for from_currency, to_currency, rate in rates:
+                # Create a unique identifier for this currency pair
+                pair_key = (from_currency.id, to_currency.id)
+                if pair_key in processed_pairs:
+                    continue
+
+                if provider.rates_inverted:
+                    # If rates are inverted, we need to swap currencies
+                    if service.singleton:
+                        # Try to get the last automatically created exchange rate
+                        exchange_rate = (
+                            ExchangeRate.objects.filter(
+                                automatic=True,
+                                from_currency=to_currency,
+                                to_currency=from_currency,
+                            )
+                            .order_by("-date")
+                            .first()
+                        )
+                    else:
+                        exchange_rate = None
+
+                    if not exchange_rate:
+                        ExchangeRate.objects.create(
+                            automatic=True,
+                            from_currency=to_currency,
+                            to_currency=from_currency,
+                            rate=rate,
+                            date=timezone.now(),
+                        )
+                    else:
+                        exchange_rate.rate = rate
+                        exchange_rate.date = timezone.now()
+                        exchange_rate.save()
+
+                    processed_pairs.add((to_currency.id, from_currency.id))
+                else:
+                    # If rates are not inverted, we can use them as is
+                    if service.singleton:
+                        # Try to get the last automatically created exchange rate
+                        exchange_rate = (
+                            ExchangeRate.objects.filter(
+                                automatic=True,
+                                from_currency=from_currency,
+                                to_currency=to_currency,
+                            )
+                            .order_by("-date")
+                            .first()
+                        )
+                    else:
+                        exchange_rate = None
+
+                    if not exchange_rate:
+                        ExchangeRate.objects.create(
+                            automatic=True,
+                            from_currency=from_currency,
+                            to_currency=to_currency,
+                            rate=rate,
+                            date=timezone.now(),
+                        )
+                    else:
+                        exchange_rate.rate = rate
+                        exchange_rate.date = timezone.now()
+                        exchange_rate.save()
+
+                    processed_pairs.add((from_currency.id, to_currency.id))
+
+            service.last_fetch = timezone.now()
+            service.failure_count = 0
+            service.save()
+
+        except Exception as e:
+            logger.error(f"Error fetching rates for {service.name}: {e}")
+            service.failure_count += 1
+            service.save()
--- a/app/apps/currencies/exchange_rates/providers.py
+++ b/app/apps/currencies/exchange_rates/providers.py
@@ -0,0 +1,505 @@
+import logging
+import time
+
+import requests
+from decimal import Decimal
+from typing import Tuple, List, Optional, Dict
+
+from django.db.models import QuerySet
+
+from apps.currencies.models import Currency, ExchangeRate
+from apps.currencies.exchange_rates.base import ExchangeRateProvider
+
+logger = logging.getLogger(__name__)
+
+
+class CoinGeckoFreeProvider(ExchangeRateProvider):
+    """Implementation for CoinGecko Free API"""
+
+    BASE_URL = "https://api.coingecko.com/api/v3"
+    rates_inverted = True
+
+    def __init__(self, api_key: str):
+        super().__init__(api_key)
+        self.session = requests.Session()
+        self.session.headers.update({"x-cg-demo-api-key": api_key})
+
+    @classmethod
+    def requires_api_key(cls) -> bool:
+        return True
+
+    def get_rates(
+        self, target_currencies: QuerySet, exchange_currencies: set
+    ) -> List[Tuple[Currency, Currency, Decimal]]:
+        results = []
+        all_currencies = set(currency.code.lower() for currency in target_currencies)
+        all_currencies.update(currency.code.lower() for currency in exchange_currencies)
+
+        try:
+            response = self.session.get(
+                f"{self.BASE_URL}/simple/price",
+                params={
+                    "ids": ",".join(all_currencies),
+                    "vs_currencies": ",".join(all_currencies),
+                },
+            )
+            response.raise_for_status()
+            rates_data = response.json()
+
+            for target_currency in target_currencies:
+                if target_currency.exchange_currency in exchange_currencies:
+                    try:
+                        rate = Decimal(
+                            str(
+                                rates_data[target_currency.code.lower()][
+                                    target_currency.exchange_currency.code.lower()
+                                ]
+                            )
+                        )
+                        # The rate is already inverted, so we don't need to invert it again
+                        results.append(
+                            (target_currency.exchange_currency, target_currency, rate)
+                        )
+                    except KeyError:
+                        logger.error(
+                            f"Rate not found for {target_currency.code} or {target_currency.exchange_currency.code}"
+                        )
+                    except Exception as e:
+                        logger.error(
+                            f"Error calculating rate for {target_currency.code}: {e}"
+                        )
+
+            time.sleep(1)  # CoinGecko allows 10-30 calls/minute for free tier
+        except requests.RequestException as e:
+            logger.error(f"Error fetching rates from CoinGecko API: {e}")
+
+        return results
+
+
+class CoinGeckoProProvider(CoinGeckoFreeProvider):
+    """Implementation for CoinGecko Pro API"""
+
+    BASE_URL = "https://pro-api.coingecko.com/api/v3/simple/price"
+    rates_inverted = True
+
+    def __init__(self, api_key: str):
+        super().__init__(api_key)
+        self.session = requests.Session()
+        self.session.headers.update({"x-cg-pro-api-key": api_key})
+
+
+class TransitiveRateProvider(ExchangeRateProvider):
+    """Calculates exchange rates through paths of existing rates"""
+
+    rates_inverted = True
+
+    def __init__(self, api_key: str = None):
+        super().__init__(api_key)  # API key not needed but maintaining interface
+
+    @classmethod
+    def requires_api_key(cls) -> bool:
+        return False
+
+    def get_rates(
+        self, target_currencies: QuerySet, exchange_currencies: set
+    ) -> List[Tuple[Currency, Currency, Decimal]]:
+        results = []
+
+        # Get recent rates for building the graph
+        recent_rates = ExchangeRate.objects.all()
+
+        # Build currency graph
+        currency_graph = self._build_currency_graph(recent_rates)
+
+        for target in target_currencies:
+            if (
+                not target.exchange_currency
+                or target.exchange_currency not in exchange_currencies
+            ):
+                continue
+
+            # Find path and calculate rate
+            from_id = target.exchange_currency.id
+            to_id = target.id
+
+            path, rate = self._find_conversion_path(currency_graph, from_id, to_id)
+
+            if path and rate:
+                path_codes = [Currency.objects.get(id=cid).code for cid in path]
+                logger.info(
+                    f"Found conversion path: {' -> '.join(path_codes)}, rate: {rate}"
+                )
+                results.append((target.exchange_currency, target, rate))
+            else:
+                logger.debug(
+                    f"No conversion path found for {target.exchange_currency.code}->{target.code}"
+                )
+
+        return results
+
+    @staticmethod
+    def _build_currency_graph(rates) -> Dict[int, Dict[int, Decimal]]:
+        """Build a graph representation of currency relationships"""
+        graph = {}
+
+        for rate in rates:
+            # Add both directions to make the graph bidirectional
+            if rate.from_currency_id not in graph:
+                graph[rate.from_currency_id] = {}
+            graph[rate.from_currency_id][rate.to_currency_id] = rate.rate
+
+            if rate.to_currency_id not in graph:
+                graph[rate.to_currency_id] = {}
+            graph[rate.to_currency_id][rate.from_currency_id] = Decimal("1") / rate.rate
+
+        return graph
+
+    @staticmethod
+    def _find_conversion_path(
+        graph, from_id, to_id
+    ) -> Tuple[Optional[list], Optional[Decimal]]:
+        """Find the shortest path between currencies using breadth-first search"""
+        if from_id not in graph or to_id not in graph:
+            return None, None
+
+        queue = [(from_id, [from_id], Decimal("1"))]
+        visited = {from_id}
+
+        while queue:
+            current, path, current_rate = queue.pop(0)
+
+            if current == to_id:
+                return path, current_rate
+
+            for neighbor, rate in graph.get(current, {}).items():
+                if neighbor not in visited:
+                    visited.add(neighbor)
+                    queue.append((neighbor, path + [neighbor], current_rate * rate))
+
+        return None, None
+
+
+class FrankfurterProvider(ExchangeRateProvider):
+    """Implementation for the Frankfurter API (frankfurter.dev)"""
+
+    BASE_URL = "https://api.frankfurter.dev/v1/latest"
+    rates_inverted = (
+        False  # Frankfurter returns non-inverted rates (e.g., 1 EUR = 1.1 USD)
+    )
+
+    def __init__(self, api_key: str = None):
+        """
+        Initializes the provider. The Frankfurter API does not require an API key,
+        so the api_key parameter is ignored.
+        """
+        super().__init__(api_key)
+        self.session = requests.Session()
+
+    @classmethod
+    def requires_api_key(cls) -> bool:
+        return False
+
+    def get_rates(
+        self, target_currencies: QuerySet, exchange_currencies: set
+    ) -> List[Tuple[Currency, Currency, Decimal]]:
+        results = []
+        currency_groups = {}
+        # Group target currencies by their exchange (base) currency to minimize API calls
+        for currency in target_currencies:
+            if currency.exchange_currency in exchange_currencies:
+                group = currency_groups.setdefault(currency.exchange_currency.code, [])
+                group.append(currency)
+
+        # Make one API call for each base currency
+        for base_currency, currencies in currency_groups.items():
+            try:
+                # Create a comma-separated list of target currency codes
+                to_currencies = ",".join(
+                    currency.code
+                    for currency in currencies
+                    if currency.code != base_currency
+                )
+
+                # If there are no target currencies other than the base, skip the API call
+                if not to_currencies:
+                    # Handle the case where the only request is for the base rate (e.g., USD to USD)
+                    for currency in currencies:
+                        if currency.code == base_currency:
+                            results.append(
+                                (currency.exchange_currency, currency, Decimal("1"))
+                            )
+                    continue
+
+                response = self.session.get(
+                    self.BASE_URL,
+                    params={"base": base_currency, "symbols": to_currencies},
+                )
+                response.raise_for_status()
+                data = response.json()
+                rates = data["rates"]
+
+                # Process the returned rates
+                for currency in currencies:
+                    if currency.code == base_currency:
+                        # The rate for the base currency to itself is always 1
+                        rate = Decimal("1")
+                    else:
+                        rate = Decimal(str(rates[currency.code]))
+
+                    results.append((currency.exchange_currency, currency, rate))
+
+            except requests.RequestException as e:
+                logger.error(
+                    f"Error fetching rates from Frankfurter API for base {base_currency}: {e}"
+                )
+            except KeyError as e:
+                logger.error(
+                    f"Unexpected response structure from Frankfurter API for base {base_currency}: {e}"
+                )
+            except Exception as e:
+                logger.error(
+                    f"Unexpected error processing Frankfurter data for base {base_currency}: {e}"
+                )
+        return results
+
+
+class TwelveDataProvider(ExchangeRateProvider):
+    """Implementation for the Twelve Data API (twelvedata.com)"""
+
+    BASE_URL = "https://api.twelvedata.com/exchange_rate"
+    rates_inverted = (
+        False  # The API returns direct rates, e.g., for EUR/USD it's 1 EUR = X USD
+    )
+
+    def __init__(self, api_key: str):
+        """
+        Initializes the provider with an API key and a requests session.
+        """
+        super().__init__(api_key)
+        self.session = requests.Session()
+
+    @classmethod
+    def requires_api_key(cls) -> bool:
+        """This provider requires an API key."""
+        return True
+
+    def get_rates(
+        self, target_currencies: QuerySet, exchange_currencies: set
+    ) -> List[Tuple[Currency, Currency, Decimal]]:
+        """
+        Fetches exchange rates from the Twelve Data API for the given currency pairs.
+
+        This provider makes one API call for each requested currency pair.
+        """
+        results = []
+
+        for target_currency in target_currencies:
+            # Ensure the target currency's exchange currency is one we're interested in
+            if target_currency.exchange_currency not in exchange_currencies:
+                continue
+
+            base_currency = target_currency.exchange_currency
+
+            # The exchange rate for the same currency is always 1
+            if base_currency.code == target_currency.code:
+                rate = Decimal("1")
+                results.append((base_currency, target_currency, rate))
+                continue
+
+            # Construct the symbol in the format "BASE/TARGET", e.g., "EUR/USD"
+            symbol = f"{base_currency.code}/{target_currency.code}"
+
+            try:
+                params = {
+                    "symbol": symbol,
+                    "apikey": self.api_key,
+                }
+
+                response = self.session.get(self.BASE_URL, params=params)
+                response.raise_for_status()  # Raise an HTTPError for bad responses (4xx or 5xx)
+
+                data = response.json()
+
+                # The API may return an error message in a JSON object
+                if "rate" not in data:
+                    error_message = data.get("message", "Rate not found in response.")
+                    logger.error(
+                        f"Could not fetch rate for {symbol} from Twelve Data: {error_message}"
+                    )
+                    continue
+
+                # Convert the rate to a Decimal for precision
+                rate = Decimal(str(data["rate"]))
+                results.append((base_currency, target_currency, rate))
+
+                logger.info(f"Successfully fetched rate for {symbol} from Twelve Data.")
+
+                time.sleep(
+                    60
+                )  # We sleep every pair as to not step over TwelveData's minute limit
+
+            except requests.RequestException as e:
+                logger.error(
+                    f"Error fetching rate from Twelve Data API for symbol {symbol}: {e}"
+                )
+            except KeyError as e:
+                logger.error(
+                    f"Unexpected response structure from Twelve Data API for symbol {symbol}: Missing key {e}"
+                )
+            except Exception as e:
+                logger.error(
+                    f"An unexpected error occurred while processing Twelve Data for {symbol}: {e}"
+                )
+
+        return results
+
+
+class TwelveDataMarketsProvider(ExchangeRateProvider):
+    """
+    Provides prices for market instruments (stocks, ETFs, etc.) using the Twelve Data API.
+
+    This provider performs a multi-step process:
+    1. Parses instrument codes which can be symbols, FIGI, CUSIP, or ISIN.
+    2. For CUSIPs, it defaults the currency to USD. For all others, it searches
+       for the instrument to determine its native trading currency.
+    3. Fetches the latest price for the instrument in its native currency.
+    4. Converts the price to the requested target exchange currency.
+    """
+
+    SYMBOL_SEARCH_URL = "https://api.twelvedata.com/symbol_search"
+    PRICE_URL = "https://api.twelvedata.com/price"
+    EXCHANGE_RATE_URL = "https://api.twelvedata.com/exchange_rate"
+
+    rates_inverted = True
+
+    def __init__(self, api_key: str):
+        super().__init__(api_key)
+        self.session = requests.Session()
+
+    @classmethod
+    def requires_api_key(cls) -> bool:
+        return True
+
+    def _parse_code(self, raw_code: str) -> Tuple[str, str]:
+        """Parses the raw code to determine its type and value."""
+        if raw_code.startswith("figi:"):
+            return "figi", raw_code.removeprefix("figi:")
+        if raw_code.startswith("cusip:"):
+            return "cusip", raw_code.removeprefix("cusip:")
+        if raw_code.startswith("isin:"):
+            return "isin", raw_code.removeprefix("isin:")
+        return "symbol", raw_code
+
+    def get_rates(
+        self, target_currencies: QuerySet, exchange_currencies: set
+    ) -> List[Tuple[Currency, Currency, Decimal]]:
+        results = []
+
+        for asset in target_currencies:
+            if asset.exchange_currency not in exchange_currencies:
+                continue
+
+            code_type, code_value = self._parse_code(asset.code)
+            original_currency_code = None
+
+            try:
+                # Determine the instrument's native currency
+                if code_type == "cusip":
+                    # CUSIP codes always default to USD
+                    original_currency_code = "USD"
+                    logger.info(f"Defaulting CUSIP {code_value} to USD currency.")
+                else:
+                    # For all other types, find currency via symbol search
+                    search_params = {"symbol": code_value, "apikey": "demo"}
+                    search_res = self.session.get(
+                        self.SYMBOL_SEARCH_URL, params=search_params
+                    )
+                    search_res.raise_for_status()
+                    search_data = search_res.json()
+
+                    if not search_data.get("data"):
+                        logger.warning(
+                            f"TwelveDataMarkets: Symbol search for '{code_value}' returned no results."
+                        )
+                        continue
+
+                    instrument_data = search_data["data"][0]
+                    original_currency_code = instrument_data.get("currency")
+
+                if not original_currency_code:
+                    logger.error(
+                        f"TwelveDataMarkets: Could not determine original currency for '{code_value}'."
+                    )
+                    continue
+
+                # Get the instrument's price in its native currency
+                price_params = {code_type: code_value, "apikey": self.api_key}
+                price_res = self.session.get(self.PRICE_URL, params=price_params)
+                price_res.raise_for_status()
+                price_data = price_res.json()
+
+                if "price" not in price_data:
+                    error_message = price_data.get(
+                        "message", "Price key not found in response"
+                    )
+                    logger.error(
+                        f"TwelveDataMarkets: Could not get price for {code_type} '{code_value}': {error_message}"
+                    )
+                    continue
+
+                price_in_original_currency = Decimal(price_data["price"])
+
+                # Convert price to the target exchange currency
+                target_exchange_currency = asset.exchange_currency
+
+                if (
+                    original_currency_code.upper()
+                    == target_exchange_currency.code.upper()
+                ):
+                    final_price = price_in_original_currency
+                else:
+                    rate_symbol = (
+                        f"{original_currency_code}/{target_exchange_currency.code}"
+                    )
+                    rate_params = {"symbol": rate_symbol, "apikey": self.api_key}
+                    rate_res = self.session.get(
+                        self.EXCHANGE_RATE_URL, params=rate_params
+                    )
+                    rate_res.raise_for_status()
+                    rate_data = rate_res.json()
+
+                    if "rate" not in rate_data:
+                        error_message = rate_data.get(
+                            "message", "Rate key not found in response"
+                        )
+                        logger.error(
+                            f"TwelveDataMarkets: Could not get conversion rate for '{rate_symbol}': {error_message}"
+                        )
+                        continue
+
+                    conversion_rate = Decimal(str(rate_data["rate"]))
+                    final_price = price_in_original_currency * conversion_rate
+
+                results.append((target_exchange_currency, asset, final_price))
+                logger.info(
+                    f"Successfully processed price for {asset.code} as {final_price} {target_exchange_currency.code}"
+                )
+
+                time.sleep(
+                    60
+                )  # We sleep every pair as to not step over TwelveData's minute limit
+
+            except requests.RequestException as e:
+                logger.error(
+                    f"TwelveDataMarkets: API request failed for {code_value}: {e}"
+                )
+            except (KeyError, IndexError) as e:
+                logger.error(
+                    f"TwelveDataMarkets: Error processing API response for {code_value}: {e}"
+                )
+            except Exception as e:
+                logger.error(
+                    f"TwelveDataMarkets: An unexpected error occurred for {code_value}: {e}"
+                )
+
+        return results
--- a/app/apps/currencies/forms.py
+++ b/app/apps/currencies/forms.py
@@ -1,15 +1,15 @@
-from crispy_forms.bootstrap import FormActions
-from crispy_forms.helper import FormHelper
-from crispy_forms.layout import Layout
-from django import forms
-from django.forms import CharField
-from django.utils.translation import gettext_lazy as _
-
+from apps.common.widgets.crispy.daisyui import Switch
 from apps.common.widgets.crispy.submit import NoClassSubmit
 from apps.common.widgets.datepicker import AirDateTimePickerInput
 from apps.common.widgets.decimal import ArbitraryDecimalDisplayNumberInput
 from apps.common.widgets.tom_select import TomSelect
-from apps.currencies.models import Currency, ExchangeRate
+from apps.currencies.models import Currency, ExchangeRate, ExchangeRateService
+from crispy_forms.bootstrap import FormActions
+from crispy_forms.helper import FormHelper
+from crispy_forms.layout import Column, Layout, Row
+from django import forms
+from django.forms import CharField
+from django.utils.translation import gettext_lazy as _


 class CurrencyForm(forms.ModelForm):
@@ -25,6 +25,7 @@ class CurrencyForm(forms.ModelForm):
            "suffix",
            "code",
            "exchange_currency",
+            "is_archived",
        ]
        widgets = {
            "exchange_currency": TomSelect(),
@@ -39,6 +40,7 @@ class CurrencyForm(forms.ModelForm):
        self.helper.layout = Layout(
            "code",
            "name",
+            Switch("is_archived"),
            "decimal_places",
            "prefix",
            "suffix",
@@ -48,17 +50,13 @@ class CurrencyForm(forms.ModelForm):
        if self.instance and self.instance.pk:
            self.helper.layout.append(
                FormActions(
-                    NoClassSubmit(
-                        "submit", _("Update"), css_class="btn btn-outline-primary w-100"
-                    ),
+                    NoClassSubmit("submit", _("Update"), css_class="btn btn-primary"),
                ),
            )
        else:
            self.helper.layout.append(
                FormActions(
-                    NoClassSubmit(
-                        "submit", _("Add"), css_class="btn btn-outline-primary w-100"
-                    ),
+                    NoClassSubmit("submit", _("Add"), css_class="btn btn-primary"),
                ),
            )

@@ -72,7 +70,7 @@ class ExchangeRateForm(forms.ModelForm):
        model = ExchangeRate
        fields = ["from_currency", "to_currency", "rate", "date"]

-    def __init__(self, *args, user=None, **kwargs):
+    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)

        self.helper = FormHelper()
@@ -81,23 +79,66 @@ class ExchangeRateForm(forms.ModelForm):
        self.helper.layout = Layout("date", "from_currency", "to_currency", "rate")

        self.fields["rate"].widget = ArbitraryDecimalDisplayNumberInput()
-        self.fields["date"].widget = AirDateTimePickerInput(
-            clear_button=False, user=user
-        )
+        self.fields["date"].widget = AirDateTimePickerInput(clear_button=False)

        if self.instance and self.instance.pk:
            self.helper.layout.append(
                FormActions(
-                    NoClassSubmit(
-                        "submit", _("Update"), css_class="btn btn-outline-primary w-100"
-                    ),
+                    NoClassSubmit("submit", _("Update"), css_class="btn btn-primary"),
                ),
            )
        else:
            self.helper.layout.append(
                FormActions(
-                    NoClassSubmit(
-                        "submit", _("Add"), css_class="btn btn-outline-primary w-100"
-                    ),
+                    NoClassSubmit("submit", _("Add"), css_class="btn btn-primary"),
+                ),
+            )
+
+
+class ExchangeRateServiceForm(forms.ModelForm):
+    class Meta:
+        model = ExchangeRateService
+        fields = [
+            "name",
+            "service_type",
+            "is_active",
+            "api_key",
+            "interval_type",
+            "fetch_interval",
+            "target_currencies",
+            "target_accounts",
+            "singleton",
+        ]
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+
+        self.helper = FormHelper()
+        self.helper.form_tag = False
+        self.helper.form_method = "post"
+        self.helper.layout = Layout(
+            "name",
+            "service_type",
+            Switch("is_active"),
+            Switch("singleton"),
+            "api_key",
+            Row(
+                Column("interval_type"),
+                Column("fetch_interval"),
+            ),
+            "target_currencies",
+            "target_accounts",
+        )
+
+        if self.instance and self.instance.pk:
+            self.helper.layout.append(
+                FormActions(
+                    NoClassSubmit("submit", _("Update"), css_class="btn btn-primary"),
+                ),
+            )
+        else:
+            self.helper.layout.append(
+                FormActions(
+                    NoClassSubmit("submit", _("Add"), css_class="btn btn-primary"),
                ),
            )
--- a/app/apps/currencies/migrations/0007_exchangerateservice.py
+++ b/app/apps/currencies/migrations/0007_exchangerateservice.py
@@ -0,0 +1,32 @@
+# Generated by Django 5.1.5 on 2025-02-02 20:35
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0006_currency_exchange_currency'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ExchangeRateService',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.CharField(max_length=255, unique=True, verbose_name='Service Name')),
+                ('service_type', models.CharField(choices=[('synth_finance', 'Synth Finance'), ('coingecko', 'CoinGecko')], max_length=255, verbose_name='Service Type')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Active')),
+                ('api_key', models.CharField(blank=True, help_text='API key for the service (if required)', max_length=255, null=True, verbose_name='API Key')),
+                ('fetch_interval_hours', models.PositiveIntegerField(default=24, validators=[django.core.validators.MinValueValidator(1)], verbose_name='Fetch Interval (hours)')),
+                ('last_fetch', models.DateTimeField(blank=True, null=True, verbose_name='Last Successful Fetch')),
+                ('target_currencies', models.ManyToManyField(help_text='Select currencies to fetch exchange rates for. Rates will be fetched for each currency against their exchange_currency.', related_name='exchange_services', to='currencies.currency', verbose_name='Target Currencies')),
+            ],
+            options={
+                'verbose_name': 'Exchange Rate Service',
+                'verbose_name_plural': 'Exchange Rate Services',
+                'ordering': ['name'],
+            },
+        ),
+    ]
--- a/app/apps/currencies/migrations/0008_exchangerateservice_target_accounts_and_more.py
+++ b/app/apps/currencies/migrations/0008_exchangerateservice_target_accounts_and_more.py
@@ -0,0 +1,24 @@
+# Generated by Django 5.1.5 on 2025-02-03 01:52
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0008_alter_account_name'),
+        ('currencies', '0007_exchangerateservice'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='exchangerateservice',
+            name='target_accounts',
+            field=models.ManyToManyField(help_text="Select accounts to fetch exchange rates for. Rates will be fetched for each account's currency against their set exchange currency.", related_name='exchange_services', to='accounts.account', verbose_name='Target Accounts'),
+        ),
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='target_currencies',
+            field=models.ManyToManyField(help_text='Select currencies to fetch exchange rates for. Rates will be fetched for each currency against their set exchange currency.', related_name='exchange_services', to='currencies.currency', verbose_name='Target Currencies'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0009_alter_exchangerateservice_target_accounts_and_more.py
+++ b/app/apps/currencies/migrations/0009_alter_exchangerateservice_target_accounts_and_more.py
@@ -0,0 +1,24 @@
+# Generated by Django 5.1.5 on 2025-02-03 01:55
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0008_alter_account_name'),
+        ('currencies', '0008_exchangerateservice_target_accounts_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='target_accounts',
+            field=models.ManyToManyField(blank=True, help_text="Select accounts to fetch exchange rates for. Rates will be fetched for each account's currency against their set exchange currency.", related_name='exchange_services', to='accounts.account', verbose_name='Target Accounts'),
+        ),
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='target_currencies',
+            field=models.ManyToManyField(blank=True, help_text='Select currencies to fetch exchange rates for. Rates will be fetched for each currency against their set exchange currency.', related_name='exchange_services', to='currencies.currency', verbose_name='Target Currencies'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0010_alter_currency_code.py
+++ b/app/apps/currencies/migrations/0010_alter_currency_code.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.1.5 on 2025-02-03 03:17
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0009_alter_exchangerateservice_target_accounts_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='currency',
+            name='code',
+            field=models.CharField(max_length=255, verbose_name='Currency Code'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0011_remove_exchangerateservice_fetch_interval_hours_and_more.py
+++ b/app/apps/currencies/migrations/0011_remove_exchangerateservice_fetch_interval_hours_and_more.py
@@ -0,0 +1,32 @@
+# Generated by Django 5.1.5 on 2025-02-07 02:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0010_alter_currency_code'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='exchangerateservice',
+            name='fetch_interval_hours',
+        ),
+        migrations.AddField(
+            model_name='exchangerateservice',
+            name='fetch_interval',
+            field=models.CharField(default='24', max_length=1000, verbose_name='Interval'),
+        ),
+        migrations.AddField(
+            model_name='exchangerateservice',
+            name='interval_type',
+            field=models.CharField(choices=[('on', 'On'), ('every', 'Every X hours'), ('not_on', 'Not on')], default='every', max_length=255, verbose_name='Interval Type'),
+        ),
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='service_type',
+            field=models.CharField(choices=[('synth_finance', 'Synth Finance'), ('coingecko_free', 'CoinGecko (Demo/Free)'), ('coingecko_pro', 'CoinGecko (Pro)')], max_length=255, verbose_name='Service Type'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0012_alter_exchangerateservice_service_type.py
+++ b/app/apps/currencies/migrations/0012_alter_exchangerateservice_service_type.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.1.6 on 2025-03-02 01:28
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0011_remove_exchangerateservice_fetch_interval_hours_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='service_type',
+            field=models.CharField(choices=[('synth_finance', 'Synth Finance'), ('synth_finance_stock', 'Synth Finance Stock'), ('coingecko_free', 'CoinGecko (Demo/Free)'), ('coingecko_pro', 'CoinGecko (Pro)')], max_length=255, verbose_name='Service Type'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0013_alter_exchangerateservice_service_type.py
+++ b/app/apps/currencies/migrations/0013_alter_exchangerateservice_service_type.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.1.6 on 2025-03-02 01:58
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0012_alter_exchangerateservice_service_type'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='service_type',
+            field=models.CharField(choices=[('synth_finance', 'Synth Finance'), ('synth_finance_stock', 'Synth Finance Stock'), ('coingecko_free', 'CoinGecko (Demo/Free)'), ('coingecko_pro', 'CoinGecko (Pro)'), ('transitive', 'Transitive (Calculated from Existing Rates)')], max_length=255, verbose_name='Service Type'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0014_alter_currency_options.py
+++ b/app/apps/currencies/migrations/0014_alter_currency_options.py
@@ -0,0 +1,17 @@
+# Generated by Django 5.1.7 on 2025-03-09 21:54
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0013_alter_exchangerateservice_service_type'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='currency',
+            options={'ordering': ['name', 'id'], 'verbose_name': 'Currency', 'verbose_name_plural': 'Currencies'},
+        ),
+    ]
--- a/app/apps/currencies/migrations/0015_exchangerate_automatic_exchangerateservice_singleton.py
+++ b/app/apps/currencies/migrations/0015_exchangerate_automatic_exchangerateservice_singleton.py
@@ -0,0 +1,23 @@
+# Generated by Django 5.2.4 on 2025-08-08 02:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0014_alter_currency_options'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='exchangerate',
+            name='automatic',
+            field=models.BooleanField(default=False, verbose_name='Automatic'),
+        ),
+        migrations.AddField(
+            model_name='exchangerateservice',
+            name='singleton',
+            field=models.BooleanField(default=False, help_text='Create one exchange rate and keep updating it. Avoids database clutter.', verbose_name='Single exchange rate'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0016_alter_exchangerate_automatic.py
+++ b/app/apps/currencies/migrations/0016_alter_exchangerate_automatic.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.4 on 2025-08-08 02:38
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0015_exchangerate_automatic_exchangerateservice_singleton'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='exchangerate',
+            name='automatic',
+            field=models.BooleanField(default=False, verbose_name='Auto'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0017_alter_exchangerateservice_service_type.py
+++ b/app/apps/currencies/migrations/0017_alter_exchangerateservice_service_type.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.5 on 2025-08-16 22:18
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0016_alter_exchangerate_automatic'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='service_type',
+            field=models.CharField(choices=[('synth_finance', 'Synth Finance'), ('synth_finance_stock', 'Synth Finance Stock'), ('coingecko_free', 'CoinGecko (Demo/Free)'), ('coingecko_pro', 'CoinGecko (Pro)'), ('transitive', 'Transitive (Calculated from Existing Rates)'), ('frankfurter', 'Frankfurter')], max_length=255, verbose_name='Service Type'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0018_alter_exchangerateservice_service_type.py
+++ b/app/apps/currencies/migrations/0018_alter_exchangerateservice_service_type.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.5 on 2025-08-17 03:54
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0017_alter_exchangerateservice_service_type'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='service_type',
+            field=models.CharField(choices=[('synth_finance', 'Synth Finance'), ('synth_finance_stock', 'Synth Finance Stock'), ('coingecko_free', 'CoinGecko (Demo/Free)'), ('coingecko_pro', 'CoinGecko (Pro)'), ('transitive', 'Transitive (Calculated from Existing Rates)'), ('frankfurter', 'Frankfurter'), ('twelvedata', 'TwelveData')], max_length=255, verbose_name='Service Type'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0019_alter_exchangerateservice_service_type.py
+++ b/app/apps/currencies/migrations/0019_alter_exchangerateservice_service_type.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.5 on 2025-08-17 06:01
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0018_alter_exchangerateservice_service_type'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='service_type',
+            field=models.CharField(choices=[('synth_finance', 'Synth Finance'), ('synth_finance_stock', 'Synth Finance Stock'), ('coingecko_free', 'CoinGecko (Demo/Free)'), ('coingecko_pro', 'CoinGecko (Pro)'), ('transitive', 'Transitive (Calculated from Existing Rates)'), ('frankfurter', 'Frankfurter'), ('twelvedata', 'TwelveData'), ('twelvedatamarkets', 'TwelveData Markets')], max_length=255, verbose_name='Service Type'),
+        ),
+    ]
--- a/app/apps/currencies/migrations/0020_migrate_synth_finance_services.py
+++ b/app/apps/currencies/migrations/0020_migrate_synth_finance_services.py
@@ -0,0 +1,51 @@
+# Generated by Django 5.2.5 on 2025-08-17 06:25
+
+from django.db import migrations
+
+# The new value we are migrating to
+NEW_SERVICE_TYPE = "frankfurter"
+# The old values we are deprecating
+OLD_SERVICE_TYPE_TO_UPDATE = "synth_finance"
+OLD_SERVICE_TYPE_TO_DELETE = "synth_finance_stock"
+
+
+def forwards_func(apps, schema_editor):
+    """
+    Forward migration:
+    - Deletes all ExchangeRateService instances with service_type 'synth_finance_stock'.
+    - Updates all ExchangeRateService instances with service_type 'synth_finance' to 'frankfurter'.
+    """
+    ExchangeRateService = apps.get_model("currencies", "ExchangeRateService")
+    db_alias = schema_editor.connection.alias
+
+    # 1. Delete the SYNTH_FINANCE_STOCK entries
+    ExchangeRateService.objects.using(db_alias).filter(
+        service_type=OLD_SERVICE_TYPE_TO_DELETE
+    ).delete()
+
+    # 2. Update the SYNTH_FINANCE entries to FRANKFURTER
+    ExchangeRateService.objects.using(db_alias).filter(
+        service_type=OLD_SERVICE_TYPE_TO_UPDATE
+    ).update(service_type=NEW_SERVICE_TYPE, api_key=None)
+
+
+def backwards_func(apps, schema_editor):
+    """
+    Backward migration: This operation is not safely reversible.
+    - We cannot know which 'frankfurter' services were originally 'synth_finance'.
+    - The deleted 'synth_finance_stock' services cannot be recovered.
+    We will leave this function empty to allow migrating backwards without doing anything.
+    """
+    pass
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        # Add the previous migration file here
+        ("currencies", "0019_alter_exchangerateservice_service_type"),
+    ]
+
+    operations = [
+        migrations.RunPython(forwards_func, reverse_code=backwards_func),
+    ]
--- a/app/apps/currencies/migrations/0021_alter_exchangerateservice_service_type.py
+++ b/app/apps/currencies/migrations/0021_alter_exchangerateservice_service_type.py
@@ -0,0 +1,18 @@
+# Generated by Django 5.2.5 on 2025-08-17 06:29
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('currencies', '0020_migrate_synth_finance_services'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='exchangerateservice',
+            name='service_type',
+            field=models.CharField(choices=[('coingecko_free', 'CoinGecko (Demo/Free)'), ('coingecko_pro', 'CoinGecko (Pro)'), ('transitive', 'Transitive (Calculated from Existing Rates)'), ('frankfurter', 'Frankfurter'), ('twelvedata', 'TwelveData'), ('twelvedatamarkets', 'TwelveData Markets')], max_length=255, verbose_name='Service Type'),
+        ),
+    ]
--- a/Show More
+++ b/Show More