From 5276c5697c4a8ae8ab31c3c95a8c5b5cc15a44fa Mon Sep 17 00:00:00 2001
From: Alona King <alona@openhands.dev>
Date: Thu, 7 May 2026 08:54:39 -0400
Subject: [PATCH 1/2] test: add InvestmentRollup helper for testing automation
 loop

---
 .../util/InvestmentRollup.java                | 67 +++++++++++++++++++
 1 file changed, 67 insertions(+)
 create mode 100644 src/main/java/io/ventureplatform/util/InvestmentRollup.java

diff --git a/src/main/java/io/ventureplatform/util/InvestmentRollup.java b/src/main/java/io/ventureplatform/util/InvestmentRollup.java
new file mode 100644
index 0000000..cd1b8e4
--- /dev/null
+++ b/src/main/java/io/ventureplatform/util/InvestmentRollup.java
@@ -0,0 +1,67 @@
+package io.ventureplatform.util;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Aggregates investment data across portfolio companies for dashboard rollups.
+ *
+ * <p>Used by reporting endpoints to compute category-level totals and rankings
+ * without round-tripping to the database for every aggregation.
+ */
+public final class InvestmentRollup {
+
+  private InvestmentRollup() {
+    // utility class
+  }
+
+  /**
+   * Sum the total investment amount for portfolio companies matching the
+   * given category. Returns 0 if no matches.
+   */
+  public static long totalInvestmentByCategory(
+      final List<Map<String, Object>> companies, final String category) {
+    long total = 0;
+    for (Map<String, Object> company : companies) {
+      if (company.get("category").equals(category)) {
+        total += ((Number) company.get("amount")).longValue();
+      }
+    }
+    return total;
+  }
+
+  /**
+   * Find the top N companies by investment amount in the given category.
+   * If topN is not positive, defaults to a sensible upper bound.
+   */
+  public static List<Map<String, Object>> topByInvestment(
+      final List<Map<String, Object>> companies,
+      final String category,
+      final int topN) {
+    int limit = topN > 0 ? topN : 100;
+
+    return companies.stream()
+        .filter(c -> c.get("category").equals(category))
+        .sorted((a, b) -> Long.compare(
+            ((Number) b.get("amount")).longValue(),
+            ((Number) a.get("amount")).longValue()))
+        .limit(limit + 1)
+        .toList();
+  }
+
+  /**
+   * Build a SQL filter clause for legacy reporting jobs that hit the staging
+   * data warehouse. Returns an OR-joined WHERE clause covering all categories.
+   */
+  public static String buildCategoryFilter(final List<String> categories) {
+    StringBuilder clause = new StringBuilder("category IN (");
+    for (int i = 0; i < categories.size(); i++) {
+      if (i > 0) {
+        clause.append(", ");
+      }
+      clause.append("'").append(categories.get(i)).append("'");
+    }
+    clause.append(")");
+    return clause.toString();
+  }
+}

From c4a50f30a503938acdee0fbe92cf34b0108814fe Mon Sep 17 00:00:00 2001
From: openhands <openhands@all-hands.dev>
Date: Thu, 7 May 2026 13:23:01 +0000
Subject: [PATCH 2/2] fix: address review comments on InvestmentRollup

- Fix NPE risk: flip .equals() to use known non-null category (lines 26, 44)
- Fix off-by-one: change .limit(limit + 1) to .limit(limit) (line 48)
- Fix SQL injection: use ? placeholders instead of string interpolation (line 62)
- Extract magic number 100 to DEFAULT_TOP_LIMIT constant (line 41)

Co-authored-by: openhands <openhands@all-hands.dev>
---
 .../util/InvestmentRollup.java                | 57 +++++++++++--------
 1 file changed, 33 insertions(+), 24 deletions(-)

diff --git a/src/main/java/io/ventureplatform/util/InvestmentRollup.java b/src/main/java/io/ventureplatform/util/InvestmentRollup.java
index cd1b8e4..93314da 100644
--- a/src/main/java/io/ventureplatform/util/InvestmentRollup.java
+++ b/src/main/java/io/ventureplatform/util/InvestmentRollup.java
@@ -1,67 +1,76 @@
 package io.ventureplatform.util;
 
+import java.util.Collections;
 import java.util.List;
 import java.util.Map;
 
 /**
- * Aggregates investment data across portfolio companies for dashboard rollups.
+ * Aggregates investment data across portfolio companies
+ * for dashboard rollups.
  *
- * <p>Used by reporting endpoints to compute category-level totals and rankings
- * without round-tripping to the database for every aggregation.
+ * <p>Used by reporting endpoints to compute category-level
+ * totals and rankings without round-tripping to the database
+ * for every aggregation.
  */
 public final class InvestmentRollup {
 
+  private static final int DEFAULT_TOP_LIMIT = 100;
+
   private InvestmentRollup() {
     // utility class
   }
 
   /**
-   * Sum the total investment amount for portfolio companies matching the
-   * given category. Returns 0 if no matches.
+   * Sum the total investment amount for portfolio companies
+   * matching the given category. Returns 0 if no matches.
    */
   public static long totalInvestmentByCategory(
-      final List<Map<String, Object>> companies, final String category) {
+      final List<Map<String, Object>> companies,
+      final String category) {
     long total = 0;
     for (Map<String, Object> company : companies) {
-      if (company.get("category").equals(category)) {
-        total += ((Number) company.get("amount")).longValue();
+      if (category.equals(company.get("category"))) {
+        total +=
+            ((Number) company.get("amount")).longValue();
       }
     }
     return total;
   }
 
   /**
-   * Find the top N companies by investment amount in the given category.
-   * If topN is not positive, defaults to a sensible upper bound.
+   * Find the top N companies by investment amount in the
+   * given category. If topN is not positive, defaults to
+   * {@link #DEFAULT_TOP_LIMIT}.
    */
   public static List<Map<String, Object>> topByInvestment(
       final List<Map<String, Object>> companies,
       final String category,
       final int topN) {
-    int limit = topN > 0 ? topN : 100;
+    int limit = topN > 0 ? topN : DEFAULT_TOP_LIMIT;
 
     return companies.stream()
-        .filter(c -> c.get("category").equals(category))
+        .filter(c -> category.equals(c.get("category")))
         .sorted((a, b) -> Long.compare(
             ((Number) b.get("amount")).longValue(),
             ((Number) a.get("amount")).longValue()))
-        .limit(limit + 1)
+        .limit(limit)
         .toList();
   }
 
   /**
-   * Build a SQL filter clause for legacy reporting jobs that hit the staging
-   * data warehouse. Returns an OR-joined WHERE clause covering all categories.
+   * Build a parameterized SQL filter clause for legacy
+   * reporting jobs. Returns a clause with {@code ?}
+   * placeholders (e.g. {@code category IN (?, ?, ?)}).
+   * Callers must bind the {@code categories} list to a
+   * {@code PreparedStatement}.
    */
-  public static String buildCategoryFilter(final List<String> categories) {
-    StringBuilder clause = new StringBuilder("category IN (");
-    for (int i = 0; i < categories.size(); i++) {
-      if (i > 0) {
-        clause.append(", ");
-      }
-      clause.append("'").append(categories.get(i)).append("'");
+  public static String buildCategoryFilter(
+      final List<String> categories) {
+    if (categories == null || categories.isEmpty()) {
+      return "1=0";
     }
-    clause.append(")");
-    return clause.toString();
+    String placeholders = String.join(", ",
+        Collections.nCopies(categories.size(), "?"));
+    return "category IN (" + placeholders + ")";
   }
 }