feat(go): IO layer behind interfaces (M4)

- io/attendance: CSV-over-public-URL client + Fake for adult/junior tabs
- io/drive: Drive v3 modifiedTime client + Fake
- io/sheets: Sheets v4 client (GetValues/AppendValues/BatchUpdateValues/
  WriteHeader/SortByDateColumn) + Fake with call-capture
- io/cache: Drive-modifiedTime-gated FileCache; two TTL knobs; atomic
  writes; generic Get[T]; Python-compatible JSON format; Flush()
- io/fio: Client interface backed by Fio REST API (apiClient) and HTML
  scraper (transparentClient); Fake; testdata fixtures
- membership/sources: NewSources wires attendance CSV + Sheets + cache
  into LoadAdults/LoadJuniors/LoadTransactions/LoadExceptions; Czech
  month parsing + merged-month maps
- banksync: SyncToSheets (SHA-256 dedup, optional sort) and
  InferPayments ([?] review prefix, dry-run) — tested with fakes
- cmd/fuj: sync and infer subcommands wired; fees and reconcile use
  real NewSources; go.mod gains google.golang.org/api + x/net
- gofumpt extra-rules applied across all packages; lint clean

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

go/internal/io/fio/api.go

@@ -0,0 +1,128 @@
+package fio
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+)
+
+// httpDoer is the subset of *http.Client used by both Fio impls.
+type httpDoer interface {
+	Do(*http.Request) (*http.Response, error)
+}
+
+// apiClient fetches transactions from the Fio REST API (JSON).
+// Ports scripts/fio_utils.py fetch_transactions_api.
+type apiClient struct {
+	token string
+	hc    httpDoer
+}
+
+func (c *apiClient) FetchTransactions(ctx context.Context, from, to time.Time) ([]Transaction, error) {
+	const layout = "2006-01-02"
+	url := fmt.Sprintf("https://fioapi.fio.cz/v1/rest/periods/%s/%s/%s/transactions.json",
+		c.token, from.Format(layout), to.Format(layout))
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := c.hc.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("fio api: HTTP %d", resp.StatusCode)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	return parseAPIResponse(body)
+}
+
+// fioAPIResponse is the top-level envelope from the Fio JSON API.
+type fioAPIResponse struct {
+	AccountStatement struct {
+		TransactionList struct {
+			Transaction []map[string]json.RawMessage `json:"transaction"`
+		} `json:"transactionList"`
+	} `json:"accountStatement"`
+}
+
+func parseAPIResponse(body []byte) ([]Transaction, error) {
+	var resp fioAPIResponse
+	if err := json.Unmarshal(body, &resp); err != nil {
+		return nil, fmt.Errorf("fio api: parse JSON: %w", err)
+	}
+
+	var txns []Transaction
+	for _, raw := range resp.AccountStatement.TransactionList.Transaction {
+		amount := colFloat(raw, "column1")
+		if amount <= 0 {
+			continue // skip outgoing
+		}
+		dateRaw := colString(raw, "column0")
+		dateStr := ""
+		if len(dateRaw) >= 10 {
+			dateStr = dateRaw[:10]
+		}
+		txns = append(txns, Transaction{
+			Date:          dateStr,
+			Amount:        amount,
+			Sender:        colString(raw, "column10"),
+			Message:       colString(raw, "column16"),
+			VS:            colString(raw, "column5"),
+			KS:            colString(raw, "column4"),
+			SS:            colString(raw, "column6"),
+			UserID:        colString(raw, "column7"),
+			SenderAccount: colString(raw, "column2"),
+			BankID:        colString(raw, "column22"),
+			Currency:      colStringOr(raw, "column14", "CZK"),
+		})
+	}
+	return txns, nil
+}
+
+// colString extracts {"value":…} as a string from a column map.
+func colString(m map[string]json.RawMessage, col string) string {
+	raw, ok := m[col]
+	if !ok {
+		return ""
+	}
+	var cell struct {
+		Value *string `json:"value"`
+	}
+	if json.Unmarshal(raw, &cell) != nil || cell.Value == nil {
+		return ""
+	}
+	return *cell.Value
+}
+
+// colStringOr is colString with a fallback value.
+func colStringOr(m map[string]json.RawMessage, col, fallback string) string {
+	if v := colString(m, col); v != "" {
+		return v
+	}
+	return fallback
+}
+
+// colFloat extracts {"value":…} as a float64 from a column map.
+// Returns 0 on any error (null column, non-numeric value).
+func colFloat(m map[string]json.RawMessage, col string) float64 {
+	raw, ok := m[col]
+	if !ok {
+		return 0
+	}
+	var cell struct {
+		Value *float64 `json:"value"`
+	}
+	if json.Unmarshal(raw, &cell) != nil || cell.Value == nil {
+		return 0
+	}
+	return *cell.Value
+}

go/internal/io/fio/client.go

@@ -0,0 +1,37 @@
+// Package fio fetches Fio bank transactions via the JSON API or the
+// transparent-page HTML scraper, behind a common Client interface.
+package fio
+
+import (
+	"context"
+	"time"
+)
+
+// Transaction is one incoming bank payment. Fields absent from the HTML scraper
+// (BankID, Currency, UserID, SenderAccount) are empty strings on that path.
+type Transaction struct {
+	Date          string
+	Amount        float64
+	Sender        string
+	Message       string
+	VS            string
+	KS            string
+	SS            string
+	UserID        string // column7; empty on HTML path
+	SenderAccount string // column2; empty on HTML path
+	BankID        string // column22; empty on HTML path
+	Currency      string // column14; empty on HTML path (assume CZK)
+}
+
+// Client fetches transactions for a date window.
+type Client interface {
+	FetchTransactions(ctx context.Context, from, to time.Time) ([]Transaction, error)
+}
+
+// New returns an apiClient when token is non-empty, otherwise a transparentClient.
+func New(token, accountNum string, hc httpDoer) Client {
+	if token != "" {
+		return &apiClient{token: token, hc: hc}
+	}
+	return &transparentClient{accountNum: accountNum, hc: hc}
+}

go/internal/io/fio/fake.go

@@ -0,0 +1,19 @@
+package fio
+
+import (
+	"context"
+	"time"
+)
+
+// Fake is an in-memory replacement for Client, used in tests.
+type Fake struct {
+	Transactions []Transaction
+	Err          error
+}
+
+func (f *Fake) FetchTransactions(_ context.Context, _, _ time.Time) ([]Transaction, error) {
+	if f.Err != nil {
+		return nil, f.Err
+	}
+	return f.Transactions, nil
+}

go/internal/io/fio/fio_test.go

@@ -0,0 +1,157 @@
+package fio
+
+import (
+	"context"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+	"time"
+)
+
+func TestAPIClient_ParseResponse(t *testing.T) {
+	body, err := os.ReadFile("testdata/api_response.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	txns, err := parseAPIResponse(body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(txns) != 1 {
+		t.Fatalf("want 1 txn (outgoing filtered), got %d", len(txns))
+	}
+	tx := txns[0]
+	if tx.Date != "2026-04-10" {
+		t.Errorf("date: want '2026-04-10', got %q", tx.Date)
+	}
+	if tx.Amount != 750 {
+		t.Errorf("amount: want 750, got %v", tx.Amount)
+	}
+	if tx.Sender != "Jana Novakova" {
+		t.Errorf("sender: want 'Jana Novakova', got %q", tx.Sender)
+	}
+	if tx.Message != "duben 2026" {
+		t.Errorf("message: want 'duben 2026', got %q", tx.Message)
+	}
+	if tx.VS != "123" {
+		t.Errorf("vs: want '123', got %q", tx.VS)
+	}
+	if tx.BankID != "12345678901" {
+		t.Errorf("bank_id: want '12345678901', got %q", tx.BankID)
+	}
+}
+
+func TestAPIClient_HTTPRoundTrip(t *testing.T) {
+	body, _ := os.ReadFile("testdata/api_response.json")
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		_, _ = w.Write(body)
+	}))
+	defer srv.Close()
+
+	c := &apiClient{token: "TESTTOKEN", hc: &overrideClient{base: srv.Client(), baseURL: srv.URL}}
+	txns, err := c.FetchTransactions(context.Background(), time.Now().AddDate(0, -1, 0), time.Now())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(txns) != 1 {
+		t.Fatalf("want 1 txn, got %d", len(txns))
+	}
+}
+
+func TestTransparentClient_ParseHTML(t *testing.T) {
+	body, err := os.ReadFile("testdata/transparent.html")
+	if err != nil {
+		t.Fatal(err)
+	}
+	txns, err := parseTransparentHTML(body)
+	if err != nil {
+		t.Fatal(err)
+	}
+	// Only the incoming row (750 CZK) should be kept; -200 is outgoing
+	if len(txns) != 1 {
+		t.Fatalf("want 1 txn (outgoing filtered), got %d", len(txns))
+	}
+	tx := txns[0]
+	if tx.Date != "2026-04-10" {
+		t.Errorf("date: want '2026-04-10', got %q", tx.Date)
+	}
+	if tx.Amount != 750 {
+		t.Errorf("amount: want 750, got %v", tx.Amount)
+	}
+	if tx.Sender != "Jana Novakova" {
+		t.Errorf("sender: want 'Jana Novakova', got %q", tx.Sender)
+	}
+	if tx.VS != "123" {
+		t.Errorf("vs: want '123', got %q", tx.VS)
+	}
+	if tx.BankID != "" {
+		t.Errorf("bank_id: want empty on HTML path, got %q", tx.BankID)
+	}
+}
+
+func TestParseCzechDate(t *testing.T) {
+	cases := []struct{ in, want string }{
+		{"10.04.2026", "2026-04-10"},
+		{"10/04/2026", "2026-04-10"},
+		{"", ""},
+		{"invalid", ""},
+	}
+	for _, c := range cases {
+		if got := parseCzechDate(c.in); got != c.want {
+			t.Errorf("parseCzechDate(%q) = %q, want %q", c.in, got, c.want)
+		}
+	}
+}
+
+func TestParseCzechAmount(t *testing.T) {
+	cases := []struct {
+		in   string
+		want float64
+	}{
+		{"750,00 CZK", 750},
+		{"1.500,00", 1500},
+		{"1500.00", 1500},
+		{"-200,00 CZK", -200},
+	}
+	for _, c := range cases {
+		if got := parseCzechAmount(c.in); got != c.want {
+			t.Errorf("parseCzechAmount(%q) = %v, want %v", c.in, got, c.want)
+		}
+	}
+}
+
+func TestFake(t *testing.T) {
+	f := &Fake{Transactions: []Transaction{{Date: "2026-04-01", Amount: 500}}}
+	txns, err := f.FetchTransactions(context.Background(), time.Now(), time.Now())
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(txns) != 1 || txns[0].Date != "2026-04-01" {
+		t.Errorf("unexpected: %v", txns)
+	}
+}
+
+// overrideClient replaces the URL in requests so we can hit a local test server
+// instead of the real Fio URL.
+type overrideClient struct {
+	base    *http.Client
+	baseURL string
+}
+
+func (o *overrideClient) Do(req *http.Request) (*http.Response, error) {
+	r2, _ := http.NewRequestWithContext(req.Context(), req.Method, o.baseURL+req.URL.Path, nil)
+	resp, err := o.base.Do(r2)
+	if err != nil {
+		return nil, err
+	}
+	// The api client reads the body, so re-serve whatever the test server returned.
+	return resp, nil
+}
+
+// verify Fake satisfies Client
+var _ Client = (*Fake)(nil)
+
+// ensure io.ReadAll isn't called at top level (compile-time reference suppressor)
+var _ = io.ReadAll

go/internal/io/fio/testdata/api_response.json

@@ -0,0 +1,29 @@
+{
+  "accountStatement": {
+    "transactionList": {
+      "transaction": [
+        {
+          "column0": {"value": "2026-04-10+0200", "name": "Datum", "id": 0},
+          "column1": {"value": 750.0, "name": "Objem", "id": 1},
+          "column2": {"value": "123456789/0300", "name": "Protiúčet", "id": 2},
+          "column4": {"value": "0308", "name": "KS", "id": 4},
+          "column5": {"value": "123", "name": "VS", "id": 5},
+          "column6": {"value": "", "name": "SS", "id": 6},
+          "column7": {"value": "Jana Nováková", "name": "Uživatelská identifikace", "id": 7},
+          "column10": {"value": "Jana Novakova", "name": "Název protiúčtu", "id": 10},
+          "column14": {"value": "CZK", "name": "Měna", "id": 14},
+          "column16": {"value": "duben 2026", "name": "Zpráva pro příjemce", "id": 16},
+          "column22": {"value": "12345678901", "name": "ID operace", "id": 22}
+        },
+        {
+          "column0": {"value": "2026-04-11+0200", "name": "Datum", "id": 0},
+          "column1": {"value": -200.0, "name": "Objem", "id": 1},
+          "column10": {"value": "Outgoing", "name": "Název protiúčtu", "id": 10},
+          "column14": {"value": "CZK", "name": "Měna", "id": 14},
+          "column16": {"value": "", "name": "Zpráva pro příjemce", "id": 16},
+          "column22": {"value": "99999999999", "name": "ID operace", "id": 22}
+        }
+      ]
+    }
+  }
+}

go/internal/io/fio/testdata/transparent.html

@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<body>
+<!-- First table (ignored) -->
+<table class="table"><tr><td>ignored</td></tr></table>
+<!-- Second table (target) -->
+<table class="table">
+  <thead>
+    <tr><th>Datum</th><th>Částka</th><th>Typ</th><th>Název protiúčtu</th><th>Zpráva</th><th>KS</th><th>VS</th><th>SS</th><th>Poznámka</th></tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>10.04.2026</td>
+      <td>750,00&nbsp;CZK</td>
+      <td>Příjem</td>
+      <td>Jana Novakova</td>
+      <td>duben 2026</td>
+      <td>0308</td>
+      <td>123</td>
+      <td></td>
+      <td></td>
+    </tr>
+    <tr>
+      <td>09.04.2026</td>
+      <td>-200,00&nbsp;CZK</td>
+      <td>Odchozí</td>
+      <td>Someone</td>
+      <td>outgoing</td>
+      <td></td>
+      <td></td>
+      <td></td>
+      <td></td>
+    </tr>
+  </tbody>
+</table>
+</body>
+</html>

go/internal/io/fio/transparent.go

@@ -0,0 +1,217 @@
+package fio
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+	"unicode"
+
+	ghtml "golang.org/x/net/html"
+)
+
+// transparentClient fetches transactions from the Fio transparent account page (HTML).
+// Ports scripts/fio_utils.py FioTableParser + fetch_transactions_transparent.
+type transparentClient struct {
+	accountNum string
+	hc         httpDoer
+}
+
+func (c *transparentClient) FetchTransactions(ctx context.Context, from, to time.Time) ([]Transaction, error) {
+	// Transparent page date format: D.M.YYYY
+	url := fmt.Sprintf(
+		"https://ib.fio.cz/ib/transparent?a=%s&f=%s&t=%s",
+		c.accountNum,
+		from.Format("2.1.2006"),
+		to.Format("2.1.2006"),
+	)
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := c.hc.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("fio transparent: HTTP %d", resp.StatusCode)
+	}
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, err
+	}
+	return parseTransparentHTML(body)
+}
+
+// Column indices in the transparent-page table (0-based).
+// Datum | Částka | Typ | Název protiúčtu | Zpráva pro příjemce | KS | VS | SS | Poznámka
+const (
+	tColDate    = 0
+	tColAmount  = 1
+	tColSender  = 3
+	tColMessage = 4
+	tColKS      = 5
+	tColVS      = 6
+	tColSS      = 7
+)
+
+func parseTransparentHTML(body []byte) ([]Transaction, error) {
+	rows := extractSecondTableRows(body)
+
+	var txns []Transaction
+	for _, row := range rows {
+		col := func(i int) string {
+			if i < len(row) {
+				return strings.TrimSpace(row[i])
+			}
+			return ""
+		}
+		dateStr := parseCzechDate(col(tColDate))
+		amount := parseCzechAmount(col(tColAmount))
+		if dateStr == "" || amount <= 0 {
+			continue
+		}
+		txns = append(txns, Transaction{
+			Date:    dateStr,
+			Amount:  amount,
+			Sender:  col(tColSender),
+			Message: col(tColMessage),
+			KS:      col(tColKS),
+			VS:      col(tColVS),
+			SS:      col(tColSS),
+			BankID:  "", // not available on HTML path
+		})
+	}
+	return txns, nil
+}
+
+// extractSecondTableRows walks the HTML token stream and returns data rows
+// from the second <table class="table"> element, skipping the <thead>.
+func extractSecondTableRows(body []byte) [][]string {
+	z := ghtml.NewTokenizer(strings.NewReader(string(body)))
+
+	tableCount := 0
+	inTarget := false
+	inThead := false
+	inRow := false
+	inCell := false
+	var currentRow []string
+	var cellBuf strings.Builder
+	var rows [][]string
+
+	for {
+		tt := z.Next()
+		if tt == ghtml.ErrorToken {
+			break
+		}
+		switch tt {
+		case ghtml.StartTagToken:
+			t := z.Token()
+			switch t.Data {
+			case "table":
+				if hasClass(t, "table") {
+					tableCount++
+					if tableCount == 2 {
+						inTarget = true
+					}
+				}
+			case "thead":
+				if inTarget {
+					inThead = true
+				}
+			case "tr":
+				if inTarget && !inThead {
+					inRow = true
+					currentRow = nil
+				}
+			case "td", "th":
+				if inRow {
+					inCell = true
+					cellBuf.Reset()
+				}
+			}
+		case ghtml.EndTagToken:
+			t := z.Token()
+			switch t.Data {
+			case "td", "th":
+				if inCell {
+					currentRow = append(currentRow, cellBuf.String())
+					inCell = false
+				}
+			case "thead":
+				inThead = false
+			case "tr":
+				if inRow {
+					if len(currentRow) > 0 {
+						rows = append(rows, currentRow)
+					}
+					inRow = false
+				}
+			case "table":
+				if inTarget {
+					return rows
+				}
+			}
+		case ghtml.TextToken:
+			if inCell {
+				cellBuf.WriteString(z.Token().Data)
+			}
+		}
+	}
+	return rows
+}
+
+func hasClass(t ghtml.Token, cls string) bool {
+	for _, a := range t.Attr {
+		if a.Key == "class" {
+			for _, c := range strings.Fields(a.Val) {
+				if c == cls {
+					return true
+				}
+			}
+		}
+	}
+	return false
+}
+
+// parseCzechDate parses "DD.MM.YYYY" or "DD/MM/YYYY" → "YYYY-MM-DD".
+// Returns "" on parse error.
+func parseCzechDate(s string) string {
+	s = strings.TrimSpace(s)
+	for _, layout := range []string{"02.01.2006", "02/01/2006"} {
+		if t, err := time.Parse(layout, s); err == nil {
+			return t.Format("2006-01-02")
+		}
+	}
+	return ""
+}
+
+var nonNumericRe = regexp.MustCompile(`[^\d.,]`)
+
+// parseCzechAmount parses "1 500,00 CZK" / "1.500,00" / "1500.00" → float64.
+// Returns 0 on error.
+func parseCzechAmount(s string) float64 {
+	// Remove NBSP, regular spaces, currency letters
+	s = strings.Map(func(r rune) rune {
+		if r == ' ' || unicode.IsSpace(r) || unicode.IsLetter(r) {
+			return -1
+		}
+		return r
+	}, s)
+
+	if strings.Contains(s, ",") {
+		// Czech decimal: 1.500,00 → remove dots (thousand sep), comma → dot
+		s = strings.ReplaceAll(s, ".", "")
+		s = strings.ReplaceAll(s, ",", ".")
+	} else {
+		// Remove any remaining non-numeric except one dot
+		s = nonNumericRe.ReplaceAllString(s, "")
+	}
+	var f float64
+	_, _ = fmt.Sscanf(s, "%f", &f)
+	return f
+}