1. main.py: move API key validation before task state creation —
prevents phantom "running" tasks when ANTHROPIC_API_KEY is missing
2. portfolio.py: make get_positions() async and fetch yfinance prices
concurrently via run_in_executor — no longer blocks event loop
3. portfolio.py: add fcntl.LOCK_EX around all JSON read-modify-write
operations on watchlist.json and positions.json — eliminates TOCTOU
lost-write races under concurrent requests
4. main.py: use tempfile.mkstemp with mode 0o600 instead of world-
readable /tmp/analysis_{task_id}.py — script content no longer
exposed to other users on shared hosts
Also: remove unused UploadFile/File imports, undefined _save_to_cache
function, dead code in _delete_task_status, and unused
get_or_create_default_account helper.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
New backend:
- api/portfolio.py: watchlist CRUD, positions with live P&L, recommendations
- POST /api/portfolio/analyze: batch analysis of watchlist tickers
- GET /api/portfolio/positions: live price from yfinance + unrealized P&L
New frontend:
- PortfolioPanel.jsx with 3 tabs: 自选股 / 持仓 / 今日建议
- portfolioApi.js service
- Route /portfolio (keyboard shortcut: 5)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
陈少杰