ci/security/test: automated audit fixes for QuantRuntimeSettings#138
Conversation
🤖 Codex PR ReviewPlease ensure a human reviewer checks this PR before merging. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8252da14d0
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - schwab | ||
| - firstrade | ||
| - qmt | ||
| - binance |
There was a problem hiding this comment.
Keep Binance DCA dispatch compatible with the builder
Adding binance here makes the console/manual workflow able to dispatch Binance switches, but the UI/backend config already advertises Binance DCA support (DCA_SUPPORTED_PLATFORMS includes binance and crypto_btc_dca has DCA defaults). For a Binance crypto_btc_dca switch with DCA controls, the workflow reaches build_runtime_switch.py, whose DCA_PROFILES still only includes the two US DCA profiles, so it exits with DCA settings are only supported for DCA strategy profiles before applying anything. Please either add the crypto DCA profile to the builder’s DCA support or don’t expose Binance until that path is handled.
Useful? React with 👍 / 👎.
| "cn_industry_etf_rotation": { | ||
| "label": "A股行业ETF轮动", | ||
| "label_en": "CN Industry ETF Rotation", | ||
| "domain": "cn_equity", | ||
| "runtime_enabled": true, |
There was a problem hiding this comment.
Mirror CN profile in frontend fallback catalog
Adding this QMT default profile to the generated catalog still leaves the checked-in browser fallback catalog incomplete: refreshStrategyProfiles() falls back to defaultStrategyProfiles in app.js whenever /api/strategy-profiles is unavailable, and that array still omits cn_industry_etf_rotation. In that API-failure/offline path the QMT default profile remains unavailable and the console falls back to another CN strategy, so please add this profile to the frontend fallback asset as well.
Useful? React with 👍 / 👎.
Summary
Automated audit fixes for
QuantRuntimeSettingsfocused on runtime-switch configuration consistency, generated asset idempotency, Python quality checks, and deployment workflow hardening.Problems found
platform-config.jsonreferenced default strategy profiles that were missing from the generated strategy catalog (binanceand QMT conservative ETF profile path).build_runtime_switch.pytreatedbinanceas a supported platform via shared runtime settings, but lacked default scope/service/dry-run variable mappings, so Binance manual switch builds could fail.manual-strategy-switch.ymldid not exposebinancein the workflow input choices and missed QMT/Binance repo override variables.inject_platform_config.pywas not idempotent: repeated generation accumulated duplicateGenerated by inject_platform_config.pycomments inindex.html/page_asset.js.continue-on-error: true.wrangler@latest.ruff check pythonreported existing Python style/unused-variable issues.Fixes applied
BINANCE_DRY_RUN, and empty service-name default.binanceto manual switch workflow choices and added QMT/Binance repository override env vars.crypto_equity_combo.cn_industry_etf_rotationprofile toplatform-config.jsonand regenerated strategy assets.inject_platform_config.pyreplace the whole generated block idempotently.continue-on-errorand pinned Wrangler to4.106.0.ruff formatand removed the unused variable flagged byruff.Security impact
latest.Architecture impact
platform-config.json, generated assets, and manual switch workflow choices.Tests run
uv venv .venv --python 3.12uv pip check --python .venv/bin/python.venv/bin/python python/scripts/build_config.py --check.venv/bin/python python/scripts/runtime_settings.py validate.venv/bin/python -m unittest discover -s python/tests -v— 58 tests passed.venv/bin/python python/scripts/check_internal_dependency_matrix.py --projects-root .. --json --strict --require-consumer-files/usr/local/opt/node@22/bin/node --experimental-default-type=module tests/strategy_switch_worker_validation.mjs/usr/local/opt/node@22/bin/node --test tests/*.js tests/*.mjs— 2 test files passed; JS test script reports 125 internal assertions passeduvx ruff check pythonuvx ruff format --check pythonactionlintuvx pip-audit --path .venvuv build pythongit diff --checkTOTAL=0build_platform_config.py+inject_platform_config.py+sync_strategy_switch_page_asset.pykept the generated diff hash unchangedFailed or skipped checks with reasons
bash python/shell/checkout_internal_dependency_consumers.sh --output-root ..was not completed locally because macOS/bin/bashis 3.2 and lacksmapfile; CI Ubuntu bash should cover this path. The Python matrix check was run directly against local consumer checkouts and passed.npm auditwas not applicable: this repository has nopackage.jsonor Node lockfile.MODULE_TYPELESS_PACKAGE_JSONduring Worker module tests; this is an existing warning and did not fail tests.Deployment notes
mainbecause Worker/config assets changed. It remains protected by theruntime-strategy-switchenvironment.wrangler deploy.Rollback plan
maincommit or revert this PR and let the protected deploy workflow run again.Manual follow-up checklist
crypto_btc_dca; this PR only fixes the currently broken default/dispatch path.runtime-strategy-switchenvironment secrets/approvals remain least-privilege before any production deploy.