- Backend: pytest on web_dashboard/backend/tests/
- Frontend: npm ci + lint on push/PR to dashboard paths
- Triggers on main, feat/**, fix/** branches
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add API key auth, pagination, and configurable CORS to dashboard API
Security hardening:
- API key authentication via X-API-Key header on all endpoints
(opt-in: set DASHBOARD_API_KEY or ANTHROPIC_API_KEY env var to enable)
If no key is set, endpoints remain open (backward-compatible)
- WebSocket auth via ?api_key= query parameter
- CORS now configurable via CORS_ORIGINS env var (default: allow all)
Pagination (all list endpoints):
- GET /api/reports/list — limit/offset with total count
- GET /api/portfolio/recommendations — limit/offset with total count
- DEFAULT_PAGE_SIZE=50, MAX_PAGE_SIZE=500
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* test: add tests for critical security fixes in dashboard API
- remove_position: empty position_id must be rejected (mass deletion fix)
- get_recommendation: path traversal blocked for ticker/date inputs
- get_recommendations: pagination limit/offset works correctly
- Named constants verified: semaphore, pagination, retry values
- API key auth: logic tested for both enabled/disabled states
- _auth_error helper exists for 401 responses
15 tests covering: mass deletion, path traversal (2 vectors),
pagination, auth logic, magic number constants
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Security hardening:
- API key authentication via X-API-Key header on all endpoints
(opt-in: set DASHBOARD_API_KEY or ANTHROPIC_API_KEY env var to enable)
If no key is set, endpoints remain open (backward-compatible)
- WebSocket auth via ?api_key= query parameter
- CORS now configurable via CORS_ORIGINS env var (default: allow all)
Pagination (all list endpoints):
- GET /api/reports/list — limit/offset with total count
- GET /api/portfolio/recommendations — limit/offset with total count
- DEFAULT_PAGE_SIZE=50, MAX_PAGE_SIZE=500
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* feat(dashboard): apply Apple design system to all 4 pages
- Font: replace SF Pro with DM Sans (web-available) throughout
- Typography: consistent DM Sans stack, monospace data display
- ScreeningPanel: add horizontal scroll for mobile, fix stat card hover
- AnalysisMonitor: Apple progress bar, stage pills, decision badge
- BatchManager: add copy-to-clipboard for task IDs, fix error tooltip truncation, add CTA to empty state
- ReportsViewer: Apple-styled modal, search bar consistency
- Keyboard: add Escape to close modals
- CSS: progress bar ease-out, sidebar collapse button icon-only mode
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(dashboard): secure API key handling and add stage progress streaming
- Pass ANTHROPIC_API_KEY via env dict instead of CLI args (P1 security fix)
- Add monitor_subprocess() coroutine with fcntl non-blocking reads
- Inject STAGE markers (analysts/research/trading/risk/portfolio) into script stdout
- Update task stage state and broadcast WebSocket progress at each stage boundary
- Add asyncio.Event for monitor cancellation on task completion/cancel
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(dashboard): persist task state to disk for restart recovery
- Add TASK_STATUS_DIR for task state JSON files
- Lifespan startup: restore task states from disk
- Task completion/failure: write state to disk
- Task cancellation: delete persisted state
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(dashboard): correct stage key mismatch, add created_at, persist cancelled tasks
- Fix ANALYSIS_STAGES key 'trader' → 'trading' to match backend STAGE markers
- Add created_at field to task state at creation, sort list_tasks by it
- Persist task state before broadcast in cancel path (closes restart race)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(dashboard): add portfolio panel - watchlist, positions, and recommendations
New backend:
- api/portfolio.py: watchlist CRUD, positions with live P&L, recommendations
- POST /api/portfolio/analyze: batch analysis of watchlist tickers
- GET /api/portfolio/positions: live price from yfinance + unrealized P&L
New frontend:
- PortfolioPanel.jsx with 3 tabs: 自选股 / 持仓 / 今日建议
- portfolioApi.js service
- Route /portfolio (keyboard shortcut: 5)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(dashboard): add CSV and PDF report export
- GET /api/reports/export: CSV with ticker,date,decision,summary
- GET /api/reports/{ticker}/{date}/pdf: PDF via fpdf2 with DejaVu fonts
- ReportsViewer: CSV export button + PDF export in modal footer
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(dashboard): address 4 critical issues found in pre-landing review
1. main.py: move API key validation before task state creation —
prevents phantom "running" tasks when ANTHROPIC_API_KEY is missing
2. portfolio.py: make get_positions() async and fetch yfinance prices
concurrently via run_in_executor — no longer blocks event loop
3. portfolio.py: add fcntl.LOCK_EX around all JSON read-modify-write
operations on watchlist.json and positions.json — eliminates TOCTOU
lost-write races under concurrent requests
4. main.py: use tempfile.mkstemp with mode 0o600 instead of world-
readable /tmp/analysis_{task_id}.py — script content no longer
exposed to other users on shared hosts
Also: remove unused UploadFile/File imports, undefined _save_to_cache
function, dead code in _delete_task_status, and unused
get_or_create_default_account helper.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(dashboard): use secure temp file for batch analysis scripts
Batch portfolio analysis was writing scripts to /tmp with default
permissions (0o644), exposing the API key to other local users.
Switch to tempfile.mkstemp + chmod 0o600, matching the single-analysis
pattern. Also fix cancel_task cleanup to use glob patterns for
tempfile-generated paths.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(dashboard): remove fake fallback data from ReportsViewer
ReportsViewer showed fabricated Chinese text when a report failed to load,
making fake data appear indistinguishable from real analysis. Now shows
an error message instead.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(dashboard): reliability fixes - cross-platform PDF fonts, API timeouts, yfinance concurrency, retry logic
- PDF: try multiple DejaVu font paths (macOS + Linux) instead of hardcoded macOS
- Frontend: add 15s AbortController timeout to all API calls + proper error handling
- yfinance: cap concurrent price fetches at 5 via asyncio.Semaphore
- Batch analysis: retry failed stock analyses up to 2x with exponential backoff
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: resolve 4 critical security/correctness bugs in web dashboard
1. Mass position deletion (portfolio.py): remove_position now rejects
empty position_id — previously position_id="" matched all positions
and deleted every holding for a ticker across ALL accounts.
2. Path traversal in get_recommendation (portfolio.py): added ticker/date
validation (no ".." or path separators) + resolved-path check against
RECOMMENDATIONS_DIR to prevent ../../etc/passwd attacks.
3. Path traversal in get_report_content (main.py): same ticker/date
validation + resolved-path check against get_results_dir().
4. china_data import stub (interface.py + new china_data.py): the actual
akshare implementation lives in web_dashboard/backend/china_data.py
(different package); tradingagents/dataflows/china_data.py was missing
entirely, so _china_data_available was always False. Added stub file
and AttributeError to the import exception handler so the module
gracefully degrades instead of silently hiding the missing vendor.
Magic numbers also extracted to named constants:
- MAX_RETRY_COUNT, RETRY_BASE_DELAY_SECS (main.py)
- MAX_CONCURRENT_YFINANCE_REQUESTS (portfolio.py)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(qa): ISSUE-001 — misleading empty state message in ScreeningPanel
When API returns 0 results, show '未找到符合条件的股票' instead of
'请先选择筛选模式并刷新' which implied no filtering had been done.
Issue found by /qa on main branch
* feat(web-dashboard): connect frontend to real backend API
Phase 1: Stabilize dashboard by connecting mock data to real backend.
Backend:
- Add GET /api/analysis/tasks endpoint for BatchManager
- Fix subprocess cancellation (poll() → returncode)
- Use sys.executable instead of hardcoded env312 path
- Move API key validation before storing task state (no phantom tasks)
Frontend:
- ScreeningPanel: handleStartAnalysis calls POST /api/analysis/start
- AnalysisMonitor: real WebSocket connection via useSearchParams + useRef
- BatchManager: polls GET /api/analysis/tasks, fixed retry button
- All mock data removed
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Apply review suggestions: use concise `or` pattern for API key
resolution, consolidate tests into parameterized subTest, move
import to module level per PEP 8.
GoogleClient now accepts the unified `api_key` parameter used by
OpenAI and Anthropic clients, mapping it to the provider-specific
`google_api_key` that ChatGoogleGenerativeAI expects. Legacy
`google_api_key` still works for backward compatibility.
Resolves TODO.md item #2 (inconsistent parameter handling).
Add effort parameter (high/medium/low) for Claude 4.5+ and 4.6 models,
consistent with OpenAI reasoning_effort and Google thinking_level.
Also add content normalization for Anthropic responses.
- Point requirements.txt to pyproject.toml as single source of truth
- Resolve welcome.txt path relative to module for CLI portability
- Include cli/static files in package build
- Extract shared normalize_content for OpenAI Responses API and
Gemini 3 list-format responses into base_client.py
- Update README install and CLI usage instructions
Enable use_responses_api for native OpenAI provider, which supports
reasoning_effort with function tools across all model families.
Removes the UnifiedChatOpenAI subclass workaround.
Closes#403
- Add http_client and http_async_client parameters to all LLM clients
- OpenAIClient, GoogleClient, AnthropicClient now support custom httpx clients
- Fixes SSL certificate verification errors on Windows Conda environments
- Users can now pass custom httpx.Client with verify=False or custom certs
Fixes#369
- OpenAI: add GPT-5.4, GPT-5.4 Pro; remove o-series and legacy GPT-4o
- Anthropic: add Claude Opus 4.6, Sonnet 4.6; remove legacy 4.1/4.0/3.x
- Google: add Gemini 3.1 Pro, 3.1 Flash Lite; remove deprecated
gemini-3-pro-preview and Gemini 2.0 series
- xAI: clean up model list to match current API
- Simplify UnifiedChatOpenAI GPT-5 temperature handling
- Add missing tradingagents/__init__.py (fixes pip install building)
Add _clean_dataframe() to normalize stock DataFrames before stockstats:
coerce invalid dates/prices, drop rows missing Close, fill price gaps.
Also add on_bad_lines="skip" to all cached CSV reads.
LLMs (especially smaller models) sometimes pass multiple indicator
names as a single comma-separated string instead of making separate
tool calls. Split and process each individually at the tool boundary.
InvestDebateState was missing bull_history, bear_history, judge_decision.
RiskDebateState was missing aggressive_history, conservative_history,
neutral_history, latest_speaker, judge_decision. This caused KeyError
in _log_state() and reflection, especially with edge-case config values.
Prevents UnicodeEncodeError on Windows where the default encoding
(cp1252/gbk) cannot handle Unicode characters in LLM output.
Closes#77, closes#114, closes#126, closes#215, closes#332
Shaojie
Yijia-Xiao
Yijia Xiao
CadeYu
javierdejesusda
阳虎
makk9