feat: export privacy warning + updated included fields list (v0.24.1)

- Added amber warning banner on Download My Data section about sensitive metadata
- Updated 'What's included' list to show monthly starting amounts and history ranges
- Marked LOW export sensitive fields item as FIXED in FUTURE.md

FUTURE.md

@@ -3,7 +3,7 @@
 **This document tracks potential future enhancements for Bill Tracker.**
 
 **Last Updated:** 2026-05-10  
-**Current Version:** v0.24.0
+**Current Version:** v0.24.1
 
 ## How to Use This Document
 
@@ -128,23 +128,8 @@ Many routes contain business logic that should be extracted to service layers.
 ### 🔵 LOW
 
 
-### 🔵 Export Formats Include Sensitive Bill Credential Fields by Default — LOW
-**Priority:** LOW  
-**Added:** 2026-05-10 by Prime (code review)  
-**Type:** SECURITY / PRIVACY
-
-**Description:**
-Full user exports include `website`, `username`, `account_info`, notes, and monthly notes by default. This may be intended for portability, but it turns every Excel/SQLite export into a high-sensitivity artifact and there is no lightweight/redacted export option.
-
-**Affected Files:**
-- `routes/export.js:88-153`
-- `routes/export.js:156-199`
-- `routes/profile.js:236-254`
-
-**Potential Fix:**
-Add explicit UI copy warning that exports may contain account metadata, and consider a redacted export mode that excludes credential/account fields and free-form notes.
-
-**Severity:** LOW
+### ~~🔵 Export Formats Include Sensitive Bill Credential Fields by Default — LOW~~ ✅ FIXED (v0.24.1)
+**Moved to HISTORY.md**
 
 ### ~~🔵 Duplicate Local Login Route Increases Auth Drift Risk — LOW~~ ✅ FIXED (v0.23.2)
 **Moved to HISTORY.md**

HISTORY.md

@@ -1,5 +1,10 @@
 # Bill Tracker — Changelog
 
+## v0.24.1
+
+### Added
+- **Export privacy warning** — Amber alert banner on Download My Data section warning that exports may contain sensitive account metadata (website URLs, usernames, account info). Updated "What's included" list to show monthly starting amounts and history ranges.
+
 ## v0.24.0
 
 ### Fixed

client/lib/version.js

@@ -1,19 +1,10 @@
-export const APP_VERSION = '0.24.0';
+export const APP_VERSION = '0.24.1';
 export const APP_NAME    = 'BillTracker';
 
 export const RELEASE_NOTES = {
-  version: '0.24.0',
+  version: '0.24.1',
   date: '2026-05-10',
   highlights: [
-    { icon: '🧹', title: 'Clear Demo Data Fix', desc: 'Fixed Clear Demo Data button — removed placeholder, made button accessible, fixed seed user ID bug, removed duplicate endpoint.' },
-    { icon: '🛡️', title: 'Admin Toggle-Paid Restricted', desc: 'Admins can no longer toggle payments on other users\' bills. All bill payment mutations now require ownership.' },
-    { icon: '🔧', title: 'Analytics Crash Fix', desc: 'Imported missing standardizeError in analytics routes — invalid query params now return 400 instead of 500.' },
-    { icon: '📦', title: 'Export Data Integrity', desc: 'User exports now include cycle_type, cycle_day, and bill_history_ranges — no more data loss on export/import.' },
-    { icon: '🔓', title: 'Single-User Mode Lockout Fix', desc: 'Fixed single-user mode locking out when expired sessions exist — removed unnecessary session join from user lookup.' },
-    { icon: '⏱️', title: 'Rate Limiter Scoped', desc: 'Password rate limiter now only applies to change-password routes, not all profile reads/updates.' },
-    { icon: '🔑', title: 'Session Invalidation Fix', desc: 'Profile password change now correctly invalidates other sessions using cookie value, not missing sessionId.' },
-    { icon: '🍪', title: 'CSRF Default Fixed', desc: 'CSRF cookie httpOnly defaults to false (matches SPA pattern). Password change routes no longer exempted from CSRF.' },
-    { icon: '📅', title: 'Notification Due-Day Fix', desc: 'Fixed same-day reminder classification — now compares calendar days instead of timestamps to avoid overdue misclass.' },
-    { icon: '📊', title: 'Upcoming Bills Validation', desc: 'Negative/invalid day windows now default to 30 instead of producing empty results.' },
+    { icon: '⚠️', title: 'Export Privacy Warning', desc: 'Added visible warning that exports may contain sensitive account metadata. Updated "What\'s included" list to show new export fields (monthly starting amounts, history ranges).' },
   ],
 };

client/pages/DataPage.jsx

@@ -288,11 +288,15 @@ export function DownloadMyDataSection() {
       <ExportCard icon={FileSpreadsheet} title="Excel Databook"
         description="Download an Excel workbook with sheets for bills, payments, categories, monthly state, and summary data."
         filename="bill-tracker-databook.xlsx" endpoint="/api/export/user-excel" />
+      <div className="px-6 py-3 rounded-md bg-amber-50 dark:bg-amber-950/30 border border-amber-200 dark:border-amber-800/40 flex items-start gap-2.5 mx-6 mt-2">
+        <AlertTriangle className="h-4 w-4 text-amber-600 dark:text-amber-400 shrink-0 mt-0.5" />
+        <p className="text-xs text-amber-700 dark:text-amber-300">Exports may contain sensitive account metadata (website URLs, usernames, account info). Store exported files securely and avoid sharing them unencrypted.</p>
+      </div>
       <div className="px-6 py-5 grid grid-cols-1 sm:grid-cols-2 gap-3">
         <div className="rounded-lg bg-muted/40 border border-border/60 p-4">
           <p className="text-[10px] font-bold uppercase tracking-widest text-muted-foreground mb-2.5">What's included</p>
           <ul className="space-y-1.5">
-            {['Bills','Payments','Categories','Monthly bill state','Notes','Export metadata'].map(i => (
+            {['Bills','Payments','Categories','Monthly bill state','Monthly starting amounts','History ranges','Notes','Export metadata'].map(i => (
               <li key={i} className="flex items-center gap-2 text-xs text-foreground/80">
                 <CheckCircle2 className="h-3.5 w-3.5 text-emerald-500 shrink-0" />{i}
               </li>

package.json

@@ -1,6 +1,6 @@
 {
   "name": "bill-tracker",
-  "version": "0.24.0",
+  "version": "0.24.1",
   "description": "Monthly bill tracking system",
   "main": "server.js",
   "scripts": {