feat(finance): Phase 5 — Rules Engine

Add rules engine with CRUD API, condition/action evaluation, and apply-all endpoint.
UI: rule builder form with field/operator/value conditions, tag multi-select, apply button with result stats.

src/app/api/statements/route.ts

@@ -1,7 +1,10 @@
-import { NextResponse } from "next/server";
+import { NextRequest, NextResponse } from "next/server";
+import { getCurrentUser } from "@/lib/auth";
 import { getStatements } from "@/lib/queries";
 
-export async function GET() {
-  const statements = await getStatements();
+export async function GET(req: NextRequest) {
+  const user = await getCurrentUser(req);
+  if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 403 });
+  const statements = await getStatements(user.id);
   return NextResponse.json(statements);
 }

src/app/api/transactions/route.ts

@@ -1,16 +1,20 @@
 import { NextRequest, NextResponse } from "next/server";
+import { getCurrentUser } from "@/lib/auth";
 import { getTransactions } from "@/lib/queries";
 
 export async function GET(req: NextRequest) {
-  const sp = req.nextUrl.searchParams;
+  const user = await getCurrentUser(req);
+  if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 403 });
 
-  const result = await getTransactions({
+  const sp = req.nextUrl.searchParams;
+  const result = await getTransactions(user.id, {
     from: sp.get("from") || undefined,
     to: sp.get("to") || undefined,
     category: sp.get("category") || undefined,
     bank_name: sp.get("bank_name") || undefined,
     search: sp.get("search") || undefined,
     statement_id: sp.get("statement_id") || undefined,
+    tag_id: sp.get("tag_id") || undefined,
     sort_by: sp.get("sort_by") || undefined,
     sort_dir: sp.get("sort_dir") || undefined,
     limit: sp.get("limit") ? Number(sp.get("limit")) : undefined,