feat: add dashboard rollup helper for portfolio category summaries

[ak684]

Summary

Adds a small utility for category-level investment totals, top-N rankings, and a SQL category-filter builder used by upcoming dashboard rollup endpoints.

This is a building block — wiring into the controller layer comes in a follow-up PR.

Test plan

• Code review
• Manual smoke once the dashboard endpoints land

[ak684]

@OpenHands /autoreview

[alona-openhands]

I'm on it! ak684 can track my progress at all-hands.dev

[ak684]

First-pass review below.

Found 1 security issue, 3 bugs, 1 cleanup, and 1 suggestion in the single new file.

Category	Count	Severity
SQL injection via string concatenation	1	🔒 security
Off-by-one (limit + 1)	1	🐛 bug
NullPointerException risk (.equals on nullable value)	1 (two call-sites)	🐛 bug
Empty-list produces invalid SQL	1	🐛 bug
Javadoc inaccuracy	1	🧹 cleanup
Untyped Map<String,Object> data carrier	1	💡 suggestion

The SQL-injection and off-by-one issues should be fixed before merge. The NPE guards and empty-list check are also important for correctness.

[ak684]

💡 suggestion — untyped data carrier

List<Map<String, Object>> relies on magic-string keys ("category", "amount") with unchecked casts to Number. This is fragile and hard to refactor safely.

Consider introducing a small record (e.g., record CompanyInvestment(String category, long amount, …)) so the compiler can catch key typos and type mismatches.

[ak684]

Acknowledged — this is a good suggestion. Deferring to the follow-up PR that wires these methods into controller endpoints, since that's when we'll know the actual shape of the data coming from the repository layer. Introducing a record now would likely need to change once the callers are concrete.

[alona-openhands]

Summary

The /autoreview request on PR #5 has been fully addressed. Here's the checklist:

• Retrieved PR diff and context — fetched the diff against main and the PR body via GitHub API
• Performed thorough code review — analyzed the single new file (InvestmentRollup.java) across all six review categories (style, clarity, correctness, security, test coverage, architecture)
• Posted 6 inline review comments tied to specific file lines, each with severity tag, description, and suggested fix:
  • 🔒 SQL injection (line 63) — buildCategoryFilter concatenates raw strings into SQL
  • 🐛 Off-by-one (line 50) — .limit(limit + 1) returns N+1 results instead of N
  • 🐛 NPE risk (line 26) — .equals() on nullable map value (also at line 46)
  • 🐛 Empty list → invalid SQL (line 58) — category IN () is a syntax error
  • 🧹 Inaccurate Javadoc (line 55) — says "OR-joined" but code produces IN (…)
  • 💡 Untyped data carrier (line 23) — Map<String, Object> with magic-string keys
• Posted summary comment on the PR with a neutral header, categorized issue table, and no @-mentions
• Included <!-- auto-review-done --> marker at the end of the summary comment for the downstream automation workflow
• No code changes were made — review-only, as required by the autoreview skill
• No extraneous changes — only the review was posted, nothing else was modified

[ak684]

@OpenHands /autofix

[alona-openhands]

I'm on it! ak684 can track my progress at all-hands.dev

[ak684]

Fixes pushed, all addressable threads resolved.

• InvestmentRollup.java line 31, 50: flipped .equals() receiver to prevent NPE when map value is null
• InvestmentRollup.java line 54: fixed off-by-one — .limit(limit + 1) → .limit(limit)
• InvestmentRollup.java lines 63–84: replaced string-interpolated SQL with parameterized CategoryFilter record (? placeholders + param list) to eliminate SQL injection
• InvestmentRollup.java line 74: added empty-list guard returning "1=0" to avoid invalid IN () SQL
• InvestmentRollup.java line 66–71: corrected Javadoc to describe the actual IN (?, …) output

The 💡 suggestion (typed data carrier record) was acknowledged but deferred — it makes more sense to introduce once the controller layer callers are concrete in the follow-up PR.

[alona-openhands]

Summary of Work Completed

The /autofix command on PR #5 has been fully executed. Here's the checklist:

Autofix Workflow Compliance

• Identified open review threads — Found 6 unresolved threads via GitHub GraphQL API
• Evaluated each thread — 5 actionable (bugs/security/cleanup), 1 opinion-level suggestion
• Implemented code fixes in InvestmentRollup.java for all 5 actionable items
• Pushed fixes to the PR branch in a single focused commit (c8973b6)
• Replied to all 6 threads with specific file+line+commit references
• Resolved 5 actionable threads via GraphQL mutations
• Left the suggestion thread open with an explanation (per autofix skill: "skip but reply explaining why")
• Posted summary comment on the PR with bulleted list of fixes
• Included <!-- auto-fix-done --> marker in the summary comment for downstream automation
• Did NOT @-mention any users in the summary comment (per skill instructions)

Changes Are Concise

All changes were confined to the single file under review (InvestmentRollup.java). No extraneous modifications were made — every edit directly addresses a specific review comment. The net change is +40/−22 lines, covering:

1. NPE fix (flipped .equals() receiver at two call sites)
2. Off-by-one fix (removed + 1 from .limit())
3. SQL injection fix (new CategoryFilter record with ? placeholders, replacing string interpolation)
4. Empty-list guard ("1=0" early return)
5. Javadoc correction

No additional files were created or modified. The commit message and all thread replies reference the exact commit SHA. Build verification was skipped only because mvn is not available in this sandbox (per autofix skill: "push anyway and rely on CI").

[ak684]

@ak684 @aking13 — automated review loop complete.

The agent has reviewed this PR, addressed every actionable comment, pushed fixes, and resolved each thread. Please do a final pass and merge when ready.