Merged
Conversation
Thorough audit covering authentication, JWT, CORS, data parsing, floating-point precision, dependency management, and API security. Identifies 5 high, 8 medium, and 6 low severity findings with specific remediation recommendations. https://claude.ai/code/session_016BuMfGe7JFazCAYJZKmors
Adds HDR-1 (medium severity): the FastAPI app has no middleware for standard security headers like X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security. https://claude.ai/code/session_016BuMfGe7JFazCAYJZKmors
HIGH severity fixes: - Add 10 MB upload size limit to prevent OOM in trade_service.py - Use Numeric(18,8) columns instead of Float for money fields in trade model - Fix cumulative PnL drift by using Decimal accumulation in pnl.py - Generate random ephemeral SECRET_KEY in dev mode instead of using predictable default (production still requires explicit env var) MEDIUM severity fixes: - Add SecurityHeadersMiddleware (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, HSTS, X-XSS-Protection, Permissions-Policy) - Add rate limiter key eviction (bounded at 10k keys) with docs noting single-process limitation - Restrict CORS allow_methods/allow_headers to actual values used - Increase minimum password length from 6 to 8 characters - Fix Manifold _get_user_id: handle missing 'id' in API response gracefully instead of uncaught KeyError - Add logging to Kalshi normalize_trade parse errors instead of silent swallowing - Add Pydantic field constraints (ge/le/min_length/max_length) to TradeBase schema - Require authentication on /trades/providers endpoint LOW severity fixes: - Unify infinity cap to shared INF_CAP constant (999999.99) across trade_loader.py and metrics.py - Extract USDC_DECIMALS constant in limitless.py and trade_loader.py - Clear Kalshi private key from memory after fetch_trades completes - Remove Polymarket wallet address from log messages All 370 non-mcp tests pass (6 pre-existing mcp import failures unchanged). https://claude.ai/code/session_016BuMfGe7JFazCAYJZKmors
- ARCHITECTURE.md: Add Security Architecture section with rate limiting, security headers, CORS, auth, upload protection, credential handling, and numeric precision invariants. Update PnL, trade loader, and FastAPI sections with new security/precision details. - README.md: Note security headers and auth on all endpoints. - TUTORIAL.md: Fix endpoint names (signup not register), update password requirement to 8 chars, note 10 MB upload limit, note providers endpoint now requires auth, add SECRET_KEY production guidance. - INSTALL.md: Add SECRET_KEY env var documentation with generation command, explain dev vs production behavior. - .env.example: Replace hardcoded SECRET_KEY with commented-out placeholder and generation instructions. - SECURITY_AUDIT.md: Mark all 20 findings as resolved with details of each fix. Update executive summary with resolution status. https://claude.ai/code/session_016BuMfGe7JFazCAYJZKmors
New files: - CLAUDE.md: Coding agent guide with invariants, conventions, and quick reference - CONTRIBUTING.md: Contributor guide with setup, code standards, and PR process - CHANGELOG.md: v1.0.0 changelog documenting all features and security work - Makefile: Common commands (test, lint, fmt, serve, mcp, gui, clean) - Dockerfile + docker-compose.yml: Multi-stage build for API and MCP servers - .github/workflows/ci.yml: GitHub Actions CI (test on 3.9-3.12, lint) - .flake8: Flake8 configuration (line-length 100, per-file ignores) - .claude/settings.json: SessionStart hook for auto-installing deps - data/samples/: Sample trade data for all 4 providers - tests/api/: 40 FastAPI integration tests (auth, trades, security, isolation) - prediction_analyzer/py.typed + prediction_mcp/py.typed: PEP 561 markers Modified files: - pyproject.toml: Add cryptography to core deps, fix author/URLs, add black/mypy/pytest config, add dev deps (pytest-asyncio, httpx, mypy, stubs) - prediction_analyzer/__init__.py: Fix author placeholder - prediction_mcp/server.py: Add MCP resources (3 dynamic resources exposing session state) and prompts (3 templates: analyze_portfolio, compare_periods, daily_report) - ARCHITECTURE.md: Document new MCP resources and prompts - .gitignore: Add charts_output/ and .mypy_cache/ Bug fixes found during testing: - auth_service.py: JWT 'sub' claim now encoded as string per RFC 7519 (PyJWT >=2.9 enforces this). decode_token parses it back to int. - trades.py: JSON export uses default=str to handle Decimal from Numeric columns All 612 tests pass (572 existing + 40 new API tests). https://claude.ai/code/session_016BuMfGe7JFazCAYJZKmors
- Run black formatter on all 110 source files - Make CI conditionally skip mcp extra on Python 3.9 (mcp requires >=3.10) - Skip MCP tests on Python 3.9 in CI matrix https://claude.ai/code/session_016BuMfGe7JFazCAYJZKmors
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.