fix: resolve mypy type errors and Trivy CVEs

MyPy (execution critical path):
- microstructure_pipeline: align FillEvent kwargs with dataclass fields
  (filled_qty/avg_fill_price, not quantity/fill_price/commission)
- signal_cache: guard _conn None-check before .execute() call
- portfolio_state: handle fetchone() returning tuple|None on all three
  COALESCE query callsites
- paper_broker: import PortfolioState explicitly (was forward ref);
  type params as list[str|int] to accept the int LIMIT arg
- paper_trading: use Timeframe.D1 enum (not str "1D"); use start_date=
  kwarg; assert fill_price/fill_timestamp non-None before PaperPosition

pyproject.toml:
- torch>=2.6.0: fixes CVE-2025-32434 (CRITICAL), CVE-2024-31580, CVE-2024-31583
- wheel>=0.46.2 in build-system: fixes CVE-2026-24049
- jaraco.context>=6.1.0 via uv constraint: fixes CVE-2026-23949
- types-PyYAML added to dev deps (mypy stubs for risk_gate.py yaml import)

Dockerfile:
- EXTRA_CA_CERT build-arg for local corporate proxy (Zscaler) builds;
  no-op in CI — arg is empty so production image is unchanged
- uv unpinned from stale 0.4.30 to >=0.5.0 for current dep resolution

Author: kbichave

Dockerfile

@@ -6,6 +6,15 @@ FROM python:3.11-slim-bookworm
 LABEL maintainer="QuantStack"
 LABEL description="QuantStack trading platform"
 
+# Optional: inject a corporate CA bundle (e.g. Zscaler) for local builds only.
+# Usage: docker build --build-arg EXTRA_CA_CERT="$(cat ~/.zscaler_cert.pem)" .
+# In CI this arg is empty — no extra certs are added to the production image.
+ARG EXTRA_CA_CERT=""
+RUN if [ -n "$EXTRA_CA_CERT" ]; then \
+        printf '%s\n' "$EXTRA_CA_CERT" >> /usr/local/share/ca-certificates/corporate.crt \
+        && update-ca-certificates; \
+    fi
+
 # Install system dependencies
 RUN apt-get update && apt-get install -y --no-install-recommends \
     gcc \
@@ -15,7 +24,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     && rm -rf /var/lib/apt/lists/*
 
 # Install uv for fast dependency management
-RUN pip install --no-cache-dir uv==0.4.30
+RUN pip install --no-cache-dir "uv>=0.5.0"
 
 WORKDIR /app
 

packages/quant_pod/execution/microstructure_pipeline.py

@@ -301,12 +301,11 @@ async def _on_features_callback(self, features) -> None:
 
             # Record fill so FillTracker + downstream risk gate stays consistent
             fill = FillEvent(
+                order_id=result.order_id,
                 symbol=order.symbol,
                 side=order.side,
-                quantity=result.filled_qty,
-                fill_price=result.avg_fill_price or current_price,
-                commission=result.commission or 0.0,
-                order_id=result.order_id,
+                filled_qty=result.filled_qty,
+                avg_fill_price=result.avg_fill_price or current_price,
             )
             self._fill_tracker.update_fill(fill)
             self._risk_gate.record_submission()

packages/quant_pod/execution/paper_broker.py

@@ -39,7 +39,7 @@
 from loguru import logger
 from pydantic import BaseModel, Field
 
-from quant_pod.execution.portfolio_state import Position, get_portfolio_state
+from quant_pod.execution.portfolio_state import PortfolioState, Position, get_portfolio_state
 
 # =============================================================================
 # DATA MODELS
@@ -107,7 +107,7 @@ class PaperBroker:
     def __init__(
         self,
         conn: duckdb.DuckDBPyConnection | None = None,
-        portfolio: PortfolioState | None = None,  # noqa: F821
+        portfolio: PortfolioState | None = None,
         # Legacy parameter — ignored when conn is provided
         db_path: str | None = None,
     ):
@@ -336,7 +336,7 @@ def _update_portfolio(self, fill: Fill, req: OrderRequest) -> None:
     def get_fills(self, symbol: str | None = None, limit: int = 100) -> list[Fill]:
         """Return recent fills, optionally filtered by symbol."""
         query = "SELECT * FROM fills"
-        params = []
+        params: list[str | int] = []
         if symbol:
             query += " WHERE symbol = ?"
             params.append(symbol)
@@ -367,15 +367,15 @@ def get_total_commission(self) -> float:
         row = self.conn.execute(
             "SELECT COALESCE(SUM(commission), 0) FROM fills WHERE rejected = FALSE"
         ).fetchone()
-        return float(row[0])
+        return float(row[0]) if row is not None else 0.0
 
     def get_avg_slippage_bps(self) -> float:
         """Average slippage in basis points across all fills."""
         row = self.conn.execute(
             "SELECT COALESCE(AVG(slippage_bps), 0) FROM fills "
             "WHERE rejected = FALSE AND filled_quantity > 0"
         ).fetchone()
-        return float(row[0])
+        return float(row[0]) if row is not None else 0.0
 
 
 # Singleton — prefer injecting via TradingContext in new code.

packages/quant_pod/execution/portfolio_state.py

@@ -141,7 +141,8 @@ def conn(self) -> duckdb.DuckDBPyConnection:
     def _seed_cash(self) -> None:
         """Insert initial cash row if the table is empty (first run)."""
         with self._lock:
-            existing = self._conn.execute("SELECT COUNT(*) FROM cash_balance").fetchone()[0]
+            row = self._conn.execute("SELECT COUNT(*) FROM cash_balance").fetchone()
+            existing = row[0] if row is not None else 0
             if existing == 0:
                 self._conn.execute(
                     "INSERT INTO cash_balance (id, cash) VALUES (1, ?)",
@@ -421,7 +422,7 @@ def get_total_realized_pnl(self) -> float:
             row = self.conn.execute(
                 "SELECT COALESCE(SUM(realized_pnl), 0) FROM closed_trades"
             ).fetchone()
-        return float(row[0])
+        return float(row[0]) if row is not None else 0.0
 
     def get_daily_pnl(self, for_date: date | None = None) -> float:
         """Realized P&L for a specific date (defaults to today)."""
@@ -432,7 +433,7 @@ def get_daily_pnl(self, for_date: date | None = None) -> float:
                 "WHERE closed_at::DATE = ?",
                 [str(d)],
             ).fetchone()
-        return float(row[0])
+        return float(row[0]) if row is not None else 0.0
 
     def get_snapshot(self) -> PortfolioSnapshot:
         """

packages/quant_pod/execution/signal_cache.py

@@ -244,6 +244,8 @@ def _persist(self, signal: TradeSignal) -> None:
 
         Called with self._lock held — don't acquire it here.
         """
+        if self._conn is None:
+            return
         try:
             self._conn.execute(
                 """

packages/quantcore/execution/paper_trading.py

@@ -18,6 +18,7 @@
 import pandas as pd
 from loguru import logger
 
+from quantcore.config.timeframes import Timeframe
 from quantcore.data.storage import DataStore
 from quantcore.data.universe import UniverseManager
 from quantcore.execution.broker import BrokerInterface
@@ -243,8 +244,8 @@ def _get_features(self, symbol: str) -> dict | None:
         try:
             df = self.data_store.load_ohlcv(
                 symbol=symbol,
-                timeframe="1D",
-                start=datetime.now() - timedelta(days=30),
+                timeframe=Timeframe.D1,
+                start_date=datetime.now() - timedelta(days=30),
             )
 
             if df.empty:
@@ -377,7 +378,10 @@ def _update_position_from_order(self, order: PaperOrder) -> None:
                 if pos.quantity <= 0:
                     del self.positions[symbol]
         else:
-            # New position
+            # New position — fill_price and fill_timestamp are set by the
+            # simulated fill above (lines 356-357) before we reach here.
+            assert order.fill_price is not None
+            assert order.fill_timestamp is not None
             self.positions[symbol] = PaperPosition(
                 symbol=symbol,
                 direction=order.direction,

pyproject.toml

@@ -1,5 +1,5 @@
 [build-system]
-requires = ["setuptools>=61.0", "wheel"]
+requires = ["setuptools>=61.0", "wheel>=0.46.2"]
 build-backend = "setuptools.build_meta"
 
 [project]
@@ -49,7 +49,8 @@ dependencies = [
     "shap>=0.42.0",
     "statsmodels>=0.14.0",
     # RL - required because quantcore/__init__.py imports rl submodule
-    "torch>=2.0.0",
+    # >=2.6.0: fixes CVE-2025-32434 (CRITICAL), CVE-2024-31580, CVE-2024-31583
+    "torch>=2.6.0",
     "gymnasium>=0.29.0",
     "stable-baselines3>=2.2.0",
     "shimmy>=1.3.0",
@@ -76,6 +77,7 @@ dev = [
     "hypothesis>=6.90.0",
     "ruff>=0.1.0",
     "mypy>=1.7.0",
+    "types-PyYAML>=6.0.0",
     "mcp>=1.0.0",
 ]
 # Scheduler (Enhancement 4) — optional, required only if using scripts/scheduler.py
@@ -186,6 +188,7 @@ dev = [
     "hypothesis>=6.90.0",
     "ruff>=0.1.0",
     "mypy>=1.7.0",
+    "types-PyYAML>=6.0.0",
     "mcp>=1.0.0",
     "pre-commit>=3.5.0",
     "coverage>=7.0.0",
@@ -195,6 +198,10 @@ dev = [
 # UV configuration for dependency management
 # Use native TLS for better SSL compatibility (Zscaler, corporate proxies)
 native-tls = true
+# Security-driven lower bounds on transitive deps (Trivy CVE fixes)
+constraint-dependencies = [
+    "jaraco.context>=6.1.0",  # CVE-2026-23949
+]
 
 [tool.pytest.ini_options]
 testpaths = ["tests"]