This change set introduces a versioned result contract, shared config schema/loading, provider/data adapter seams, and a no-strategy application-service skeleton so the current research graph, orchestrator layer, and dashboard backend stop drifting further apart. It also keeps the earlier MiniMax compatibility and compact-prompt work aligned with the new contract shape and extends regression coverage so degradation, fallback, and service migration remain testable during the next phases.
Constraint: Must preserve existing FastAPI entrypoints and fallback behavior while introducing an application-service seam
Constraint: Must not turn application service into a new strategy or learning layer
Rejected: Full backend rewrite to service-only execution now | too risky before contract and fallback paths stabilize
Rejected: Leave provider/data/config logic distributed across scripts and endpoints | continues boundary drift and weakens verification
Confidence: high
Scope-risk: broad
Directive: Keep future application-service changes orchestration-only; move any scoring, signal fusion, or learning logic to orchestrator or tradingagents instead
Tested: python -m compileall orchestrator tradingagents web_dashboard/backend
Tested: python -m pytest orchestrator/tests/test_signals.py orchestrator/tests/test_llm_runner.py orchestrator/tests/test_quant_runner.py orchestrator/tests/test_contract_v1alpha1.py orchestrator/tests/test_application_service.py orchestrator/tests/test_provider_adapter.py web_dashboard/backend/tests/test_main_api.py web_dashboard/backend/tests/test_portfolio_api.py web_dashboard/backend/tests/test_api_smoke.py web_dashboard/backend/tests/test_services_migration.py -q
Not-tested: live MiniMax/provider execution against external services
Not-tested: full dashboard/manual websocket flow against a running frontend
Not-tested: omx team runtime end-to-end in the primary workspace
* fix: add API key auth, pagination, and configurable CORS to dashboard API
Security hardening:
- API key authentication via X-API-Key header on all endpoints
(opt-in: set DASHBOARD_API_KEY or ANTHROPIC_API_KEY env var to enable)
If no key is set, endpoints remain open (backward-compatible)
- WebSocket auth via ?api_key= query parameter
- CORS now configurable via CORS_ORIGINS env var (default: allow all)
Pagination (all list endpoints):
- GET /api/reports/list — limit/offset with total count
- GET /api/portfolio/recommendations — limit/offset with total count
- DEFAULT_PAGE_SIZE=50, MAX_PAGE_SIZE=500
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* test: add tests for critical security fixes in dashboard API
- remove_position: empty position_id must be rejected (mass deletion fix)
- get_recommendation: path traversal blocked for ticker/date inputs
- get_recommendations: pagination limit/offset works correctly
- Named constants verified: semaphore, pagination, retry values
- API key auth: logic tested for both enabled/disabled states
- _auth_error helper exists for 401 responses
15 tests covering: mass deletion, path traversal (2 vectors),
pagination, auth logic, magic number constants
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
陈少杰
Shaojie