chore(master): release 0.8.0 by github-actions[bot] · Pull Request #28 · TPTBusiness/NexQuant

github-actions · 2026-04-21T20:46:33Z

🤖 I have created a release beep boop

0.8.0 (2026-04-21)

Features

[AutoRL-Bench] Update DeepSearchQA split and translate task instructions to English (#1368) (ffb9491)
Add 'predix evaluate' command to CLI (728d8c6)
Add 'predix top' command + explain factor evaluation results (2340543)
Add 6 new CLI commands - all scripts integrated with local LLM (b0b2668)
add a rag mcp in proposal (#1267) (dc7b732)
add a web UI server (#1345) (1439548)
Add advanced ML models (Transformer, TCN, PatchTST, CNN+LSTM) (a45445a)
Add AI Strategy Builder (StrategyCoSTEER) - Closed Source (b4ced5d)
Add beautiful CLI welcome screen for GitHub README (4fef3e3)
Add CLI model selection (local vs OpenRouter) (54c60dc)
add code change summary (#1000) (66e0e8f)
add coder check and give more time (#1127) (e0519b5)
Add complete ML pipeline with graceful degradation (closed source) (524c68e)
add daily log rotation, llama health wait, factor auto-fixer, and README updates (4ae4d6f)
add enable_cache toggle for UI data caching (#1075) (5496168)
add extra_eval config and import_class for custom evaluators (#1097) (ab97dd8)
Add factor code and description to saved results (141c835)
Add GitHub infrastructure, CI/CD pipelines, and examples (a0b5dc4)
add hide_base_name option and update data folder prompts (#1004) (cd23729)
add hypo_critic and hypo_rewrite in proposal (#1106) (a6703aa)
add improve_mode to MultiProcessEvolvingStrategy for selective task implementation (#1273) (03f22dc)
Add improved local prompt with MultiIndex code examples (v3) (569470e)
add Kronos CLI commands, expand tests, document in README (f911081)
add LLM-finetune scenario (#1314) (6e19c9e)
add loop ID mapping to trace nodes and update UI labels (#1098) (810af36)
add mask inference in debug mode (#1154) (b4117cf)
Add model loader system (same as prompts) (1178474)
add only success filter toggle for traces (#1047) (6fdf633)
add option to enable hyperparameter tuning only in first eval loop (#1211) (f82de4a)
Add P5 ML Training Pipeline with LightGBM and 46 tests (916287a)
Add parallel run system with API key distribution (944152c)
add previous runner loops to runner history (#1142) (2426a1d)
add reasoning attribute to DSRunnerFeedback for enhanced evaluation context (#1162) (bfa4525)
Add RL Trading Agent system with 99 tests (caaa7d4)
add sample submission file check (#1053) (da67df1)
add show_hard_limit option and update time limit handling in DataScience settings (#1144) (8a3e42d)
Add simple factor evaluator with direct IC/Sharpe computation (7526be3)
Add start_llama and start_loop CLI commands (43277fc)
add stdout into workspace for easier debugging (#1236) (0daeb82)
add time ratio limit for hyperparameter tuning in Kaggle settin… (#1135) (6a49981)
Add Trading Protection System with 4 protections + comprehensive tests (0c7651e)
add user interaction in data science scenario (#1251) (6e09dc6)
add ws CLI and support optional timeout/cache (#1066) (51d458a)
added running time statistics for the DS scenario experiment (#1007) (667af3e)
analyze feedback based on sota numbers (#1116) (5e959a5)
Auto-start dashboard for fin_quant (cf8904e)
Auto-start dashboard for fin_quant (bc656e9)
backtest: add FTMO-realistic backtest mode with leverage, daily/total loss limits and realistic EUR/USD costs (f6f9f87)
backtest: add rolling walk-forward validation and Monte Carlo trade permutation test (637a94c)
backtest: add walk-forward OOS validation to backtest_signal_ftmo (1147971)
Backtesting Engine + Risk Management + Results Database (0adcb6d)
Backtesting Engine + Risk Management + Results DB (2110b55)
backtest: use backtest_signal_ftmo in strategy orchestrator and optuna optimizer (2e223a3)
Beautiful CLI dashboard + corrected start command (2c07c15)
Centralize all prompts in prompts/ directory (ba27e2b)
CLI Commands for strategy generation (P4 complete) (82d91a8)
Complete P6-P9 implementation (73 tests) (c0b56cb)
create Jupyter notebook pipeline file based on main.py file (#1134) (f03b1b9)
Data Loader module with tests (P0 complete) (df46dde)
Diverse factor selection + improved prompt v3 (8f4188b)
enable drafting with knowledge (#998) (1c35004)
enable finetune llm (#1055) (35c209b)
enable LLM‑based hypothesis selection with time‑aware prompt & colored logging (#1122) (90dd2f7)
enable meta planner (#1103) (a3c0f29)
enable to inject diversity cross async multi-trace (#1173) (b05a530)
enhance timeout handling in CoSTEER and DataScience scenarios (#1150) (811d4e7)
enhance timeout management and knowledge base handling in CoSTEER components (#1130) (305eff1)
EURUSD FX patches - prompts, factor spec, experiment settings (4cb7035)
EURUSD model experiment setting + model simulator text patched (5afbf91)
EURUSD Trading-Verbesserungen (Phase 2 & 3) (bab2107)
EURUSD Trading-Verbesserungen implementiert (Phase 1) (a9c5df0)
EURUSD walk-forward splits, bars terminology, README no $factor (94634d0)
factor-coder: Add critical rules to prevent common factor implementation errors (a1edca8)
fallback to acceptable results (#1129) (7fc0916)
Fast mode - CoSTEER goes to backtest after 1 iteration (ddd7f93)
fin_quant: auto-generate Kronos factor before loop start (277063f)
Fix 1min data integration and centralize all prompts (b4b8616)
Fix realistic backtesting (Step 1+2) (d0ef9ba)
Full auto strategy generation in fin_quant loop (d10708e)
Full system integration - RL + Protections + Backtesting + CLI (d156fbe)
FX feedback loop, EURUSD ticker examples, bars terminology (5e0e55b)
FX Multi-Agent Validator (TradingAgents-inspired) - Session/Macro/Bull-Bear/Trader (b2dfba3)
improve fallback handling in CoSTEER and add GPU usage guidelin… (#1165) (9c190e3)
Improve predix portfolio command with robust error handling (09f6cac)
Improved LLM prompt + Optuna integration (Step 3+5) (44bd6fa)
init pydantic ai agent & context 7 mcp (#1240) (5ba5e83)
Integrate critical features into fin_quant workflow (P0+P1) (f29e7bd)
Integrate factor code/description saving into fin_quant process (b5b2ca3)
integrate Kronos-mini OHLCV foundation model (Option A + B) (4ae3b99)
Intelligent embedding chunking instead of truncation (6e7a6cb)
logging: write complete LLM prompts and responses to daily JSONL log (803ef13)
mcp: cache with one-click toggle (#1269) (4f493c8)
mcts policy based on trace scheduler (#1203) (ac6d8ed)
merge code summary and support more traces (#1025) (ef5848d)
migrate to 1min EURUSD data (2020-2026) (a05050c)
ML Training Pipeline with 46 tests (P5 complete) (3ec37c4)
new prompt for auto-sota-selector (#1109) (733a17d)
offline selector (#1231) (d4c5399)
Optuna Parameter Optimizer with 60 tests (P3 complete) (a96013e)
PDF performance reports for strategies (reportlab) (60b8cde)
predix.py wrapper for dashboard support (543d9ca)
prob-based trace scheduler (#1131) (7e15b5e)
query & cache package_info (#1083) (7772591)
Realistic backtesting with OHLCV data (P5 continued) (c2f0eac)
Realistic backtesting with OHLCV data and spread costs (5c5d67c)
Redirect RD-Agent workspace to results/ directory (bbee3ac)
refactor CoSTEER classes to use DSCoSTEER and update max seconds handling (#1156) (c111966)
refine the logic of enabling hyperparameter tuning and add criteira (#1175) (e77572f)
rl: add AutoRL-Bench framework and benchmark integrations (#1348) (7cd64a2)
Save all factor results to results/factors/ (9d0a381)
Save factor results immediately after each evaluation (5c60383)
scripts: add full file logging to strategy generation and rebacktest scripts (8d810bc)
show first evo round codes diff (#1009) (ef6b586)
show the summarized final difference between the final workspace and the base workspace (#1281) (35a7ae5)
strategies: make OOS validation mandatory in strategy generator (bb32a6b)
Strategy Generator working with local LLM (P0-P4) (2a97a0b)
Strategy Orchestrator with 30 tests (P2 complete) (55a8086)
Strategy performance reports, CLI docs, and README update (90a4f7e)
Strategy Worker module with 41 tests (P1 complete) (4eea3a8)
strategy: Continuous optimization with Optuna parameter injection (4fda5ea)
streamline hyperparameter tuning checks and update evaluation g… (#1167) (5866230)
Support 25+ parallel runs with resource warnings (451e9be)
try coder on whole data (#1017) (d0afa59)
ui, support disable cache (#1217) (70fd91c)
unified backtest engine, LLM error handling, strategy refactor (76b9341)
update README with latest paper acceptance to NeurIPS 2025 (#1252) (12969b4)
zentrale data_config.yaml + apply_config.py für dynamische Datenkonfiguration (7bf93f4)

Bug Fixes

(to main) litellm's Timeout error is not picklable (#1294) (315850e)
add a switch for ensemble_time_upper_bound and fix some bug in main (#1226) (fc18942)
Add Bandit security scanning and fix critical vulnerabilities (26f2c12)
Add critical column name rules to factor generation prompt (3e74410)
Add get_factor_count() to QuantTrace to prevent parallel run crashes (d898bb5)
add gpu_info in research phase (#1094) (b1b77bd)
add json format response fallback to prompt templates (#1246) (694afd8)
add metric in scores.csv and avoid reading sample_submission.csv (#1152) (80c953d)
Add missing os import in factor_runner.py (14d533f)
Add missing Panel import in predix evaluate command (980f0c4)
add missing self parameter to instance methods in DSProposalV2ExpGen (#1213) (c8bf617)
Add nosec comments for schema migration SQL in results_db.py (bbdf296)
add spec for hyperparameters in task design and coder (#995) (6f3a44c)
align scenario descriptions and include debug timeout (#1079) (daea490)
allow prev_out keys to be None in workspace cleanup assertion (#1214) (f02dc5f)
avoid triggering errors like "RuntimeError: dictionary changed s… (#1285) (b180543)
based on response schema; not function calling (#1038) (a09b09f)
cancel tasks on resume and kill subprocesses on termination (#1166) (0e3f4cf)
change runner prompts (#1223) (be3433f)
ci: fix closed-source asset check false positives in security workflow (4b83c2b)
ci: remove CodeQL workflow (conflicts with default setup), drop duplicate lint job (a671361)
ci: remove env-print step to avoid leaking sensitive environment variables (#1299) (c067ea6)
ci: set JAVA_TOOL_OPTIONS UTF-8 in Codacy workflow (e36721c)
clear ws_ckp after extraction to reduce workspace object size (#1137) (28ceb41)
CLI dashboard in separate terminal window (b511be6)
collect_info: parse package names safely from requirements constraints (#1313) (99a71bf)
correct DS_LOCAL_DATA_PATH error in devcontainer (#1063) (d8790a0)
deps: bump python-dotenv to >=1.2.2 (CVE symlink overwrite) (126ae7d)
deps: pin aiohttp>=3.13.4 to patch 4 CVEs (81adddc)
Disable ANSI color codes when not running in TTY (f9b6720)
Disable Flask debug mode by default (Security Alert #2) (90528f2)
Display litellm messages as info instead of warnings (287f852)
dockerfile: install coreutils to resolve timeout command error (#1260) (35580cb)
docs: update rdagent ui with correct params (#1249) (3b9ad11)
Embedding Context Length Error (aeb36a1)
enable embedding truncation (#1188) (880a6c7)
end-timestamp 23:45, weg, SZ-beispiele weg (a4d923a)
enhance feedback handling in MultiProcessEvolvingStrategy for improved task evolution (#1274) (afb575c)
Ensure backtest results save to DB and JSON files (a0debc6)
error in prompt template (#1065) (e610fca)
evaluator erkennt 15min als valid (nicht daily) (4eff97a)
filter log folders bug in ui (#1073) (38aff84)
fix a bug in return curve display (#1042) (c03a519)
fix a minor bug in DS eval (#1012) (fb8f2b5)
fix a small bug in json_mode (#1041) (09dd0ca)
fix a small bug in response_schema (#1043) (53d7c3b)
fix bug for hypo_select_with_llm when not support response_schema (#1208) (d759ca9)
fix chat_max_tokens calculation method to show true input_max_tokens (#1241) (7e99605)
fix code diff bug (#1115) (514c191)
fix mcts (#1270) (5003aff)
fix mount (#1001) (e3278bf)
Fix parallel runner dashboard rendering error (3e58db4)
fix some bugs in quant scen (#1026) (f2cb3ce)
fix some bugs in RD-Agent(Q) (#1143) (7134a51)
Forward-fill daily factors to 1-min frequency (9d36cd2)
generate.py nutzt rdagent4qlib env für Qlib-Datenzugriff (8b690ad)
graph: using assignment expression to avoid repeated function call (#1174) (b6fae75)
Handle failed experiments in feedback step to prevent crashes (0de969a)
handle mixed str and dict types in code_list (#1279) (32ecf92)
Handle negative/zero values in performance report charts (985e912)
handle None output and conditional step dump in LoopBase execution (#1212) (9de8d60)
Handle Qlib Docker backtest failures gracefully (SECURITY FIX) (233e9a6)
handle the bug of wrong dag_parant index (#996) (cd0aab3)
handle the no-update case of root node in uncommited_rec_status (#1062) (0c6e6a4)
Handle timeout exceptions safely in predix_full_eval.py (22dbe68)
handle ValueError in stdout shrinking and refactor shrink logic (#1228) (6fc3877)
Harden _safe_resolve to fix CodeQL alert #3 (120d17a)
Harden path validation in Job Summary UI to fix CodeQL alert #17 (c0abfcd)
Harden path validation to fix CodeQL alert #20 (eb5aee2)
ignore case when checking metric name (#1160) (1b84f7b)
ignore class types when filtering workflow steps (#1085) (79d2158)
ignore RuntimeError for shared workspace double recovery (#1140) (bd8a16d)
Import pandas in predix portfolio_simple command (7196f09)
improve log folder sorting and selection UX (#993) (7e77a44)
Improve path traversal prevention with dedicated helper function (57ca1c4)
improve the logic of json_schema and refine the reasoning extraction logic for reasoning model (#1044) (e4d4cea)
increase retry count in hypothesis_gen decorator to 10 (#1230) (86ce4f1)
increase time default not controlled by LLM (#1196) (e4bd647)
Initialize EnvController in QuantTrace.init (882bf92)
inject correct MultiIndex template into factor prompt (c420ed8)
inject MultiIndex warning into factor interface prompt (YAML valide) (6587759)
insert await asyncio.sleep(0) to yield control in loop (#1186) (e0453e0)
jinja problem of enumerate (#1216) (6725f15)
kaggle competition metric direction (#1195) (04878f9)
kronos: lazy torch import to fix CI ModuleNotFoundError (ccc1d27)
kronos: pass actual datetime Series to Kronos predictor timestamps (dc6e7ce)
kronos: replace rdagent_logger with stdlib logging for CI compatibility (b4558f2)
merge candidates (#1254) (46aad78)
minor conflict in prompts (#1081) (427f5d2)
minor fix to runtime_environment (#1089) (51921c2)
model/factor experiment filtering in Qlib proposals (#1257) (9e34b4e)
move snapshot saving after step index update in loop execution (#1206) (774346d)
move task cancellation to finally block and fix subprocess kill typo (#1234) (a984f69)
optuna: fix inverted parameter range in Stage 2/3 when signal_bias is negative (eaf885e)
Override webshop's Werkzeug dependency to fix CVE-2026-27199 (53c63b7)
package and timer bug (#1092) (9b82bc1)
path traversal risk (#1050) (bd0a95e)
preserve null end_time when rendering dataset segments template (#1326) (6196ba3)
prevent calendar index overflow when signal data ends early (#1324) (3dbd703)
prevent JSON content from being added multiple times during retries (#1255) (31b19de)
prevent parallelism in feedback and record steps (#1046) (12d4e8a)
Prevent path injection in FT Job Summary UI (ca1fbb1)
Prevent path injection in RL Job Summary UI (8c9b782)
Prevent path traversal in autorl_bench server.py (56888cf)
Prevent path traversal in get_job_options() app.py (a58aa9f)
Prevent path traversal in RL UI app.py (5137143)
Prevent path traversal in Streamlit UI app.py (ebb5c84)
prompt yaml (#1112) (0c3d0cd)
properly assign sota_exp_fb before None comparison (#1037) (aa006a5)
Refactor path validation to fix CodeQL alert #16 (b6d58b0)
refine DSCoSTEER_eval prompts (#1157) (5594ab4)
refine prompt, equal lightgbm, discourage over hypertuning (#1072) (8974704)
refine prompt; runner focus on low hanging fruit (#1076) (de34c99)
refine prompts and add additional package info (#1179) (5353bd3)
refine task scheduling logic in MultiProcessEvolvingStrategy for… (#1275) (27d38af)
refine the prompt to force complete code & refine the logic of running (#1069) (e3679d6)
remove $factor from prompt, update example count to EURUSD (0a9e982)
remove all Chinese stock references, replace with EURUSD 1min FX (ae0693c)
Remove API key from test_benchmark_api.py config (057b3f1)
Remove API key logging from eurusd_llm.py (5fc14a1)
Remove API key parameter from generate_api_config() (15897ae)
Remove API key presence detection from logging (061340b)
Remove clear-text storage of API key (CodeQL alert #8) (45e64c2)
Remove hardcoded credentials from test_benchmark_api.py (6bee456)
remove refine decision & bug fix (#1031) (35b4224)
remove unused imports in data science scenario module (#1136) (fd6cd39)
Rename loader.py to prompt_loader.py to fix module conflict (784f7b9)
replace hardcoded ChromeDriver path with webdriver-manager (#1271) (e3d2443)
Resolve 88% empty backtest results + path fixes (818b8f3)
Resolve FORWARD_BARS NameError in backtest script (7554107)
Resolve security vulnerabilities (Dependabot + Code Scanning) (2bbf529)
revert 2 commits (#1239) (2201a47)
revert to v10 setting (#1220) (51f5bc9)
scheduler next selection parallel disorder (#1028) (f8d08be)
security: Patch 5 CodeQL path injection and clear-text logging alerts (#22-#25, #9) (d386af9)
security: Patch 5 CodeQL path injection and weak hashing alerts (#25-#30) (0d4c3b7)
security: Patch path injection and stack trace exposure (CodeQL #31, #27) (b0b8432)
security: replace relative_to() with realpath+startswith for CodeQL sanitization (6d70f1e)
security: resolve all 30 Bandit security alerts (B301, B614, B104) (ce5983d)
security: resolve CodeQL path-injection alerts in UI data loaders (cced426)
security: resolve CodeQL path-injection and clear-text-logging alerts (ec50224)
security: Resolve GitHub Security Scan alerts (6c85ba8)
security: Upgrade vllm and transformers to patch 4 CVEs (6c9ba91)
set requires_documentation_search to None to disable feature in eval (#1245) (ee8c119)
Skip already evaluated factors in predix_full_eval.py (ae23e01)
skip res_ratio check if timer or res_time is None (#1189) (dbe2142)
split then sample & remove simple model guide in ds proposal (#1034) (ece86d7)
stop evolve if global timer is timeout (#1039) (3c2c27c)
strategy: Fix template variables, APIBackend import, and JSON extraction (8220faa)
strategy: Re-evaluate Optuna-optimized strategies with full OHLCV backtest (026edce)
summary page bug (#1219) (beab473)
support experimental support for Deepseek models and update docs about configuration (#1024) (f2272f3)
Switch to ThreadPoolExecutor for factor evaluation (b600866)
Translate remaining German comment in eurusd_macro.py (5054f22)
TypeError: cannot unpack non-iterable bool object (#1036) (7251976)
ui bug (#1192) (2f8261f)
update fallback criterion (#1210) (dbbe374)
Update LICENSE badge link from main to master branch (485ae02)
update requirements.txt's streamlit (#1133) (600d159)
Update Werkzeug to 2.3.8 (latest secure 2.x version) (24ea6dd)
Use 96-bar forward returns in backtest (matching factor IC horizon) (991eb06)
use CoSTEERSettings for DSRunnerCoSTEERSettings (#1096) (54d72e1)
Use num_api_keys instead of len(api_keys) for round-robin (89f971e)
weg, Timestamps mit Uhrzeit, kein SZ-Beispiel (6f616cb)

Performance Improvements

kronos: batch GPU inference via predict_batch — 75x faster (74611d0)
kronos: batch GPU inference via predict_batch — 75x faster (2babeb9)

Documentation

Add ATTRIBUTION.md with clear usage guidelines (17b1e62)
Add CLI welcome screenshot to README (e6f2374)
Add comprehensive CHANGELOG.md for v1.0.0 release (24f768e)
Add comprehensive CLI help and update README with quick start (f5f8515)
Add comprehensive data setup guide to README (f721d53)
Add comprehensive Git commit guidelines to QWEN.md (1dd5cff)
Add conda requirement to README + fix predix CLI (df45698)
Add CRITICAL rule - NEVER commit closed-source/private assets (917683f)
Add CRITICAL rule - NEVER commit trading strategies or JSON files (2b60fcc)
add documentation for Data Science configurable options (#1301) (d603d5a)
add execution environment configuration guide (Docker vs Conda) (#1288) (27ed3d1)
Add implementation summary (38dfe2b)
Add live trading system documentation to QWEN.md (a9d7fb8)
Add Microsoft RD-Agent acknowledgment to README (be2739f)
Add professional badges to README header (0bb89f0)
add Properties code-block for BACKEND setting in docs (#1060) (c27f3b4)
add README for exp_gen folder structure proposal (#1010) (deb01ac)
Add results/ directory README for storage documentation (02f31ee)
add submission grading steps to devcontainer README (#1054) (083f1bd)
Add v2.0.0 release changelog (ff265ec)
claude: add release cadence policy — manual on request, patch bumps (bbc89e1)
claude: auto-merge release-please PR after every push (f500917)
Clean changelog of closed-source performance metrics (a0f6587)
Create changelog/ directory with v1.0.0.md release notes (dd291ae)
Final system completion - all 9 phases done (d6e4044)
fix duplicate sections, add hardware requirements and data setup guide (6c771b3)
improve README badges, fix llama-server flags, clean up structure (336e1a5)
Remove 'Inspired by' comments and add comprehensive Acknowledgments (b03975b)
Simplify README for git-clone-only installation (3a09c5f)
Translate all code comments to English (cc07144)
Translate data_config.yaml to English (baeae68)
Translate server.py comments to English (fde1e47)
Translate server.py docstring to English (f8b144a)
update configuration docs (#1155) (56ed919)
update data science docs (#1015) (81d0ac7)
update docs/installation_and_configuration.rst for Configuration (#1061) (6469a06)
update installation methods in readme (#1058) (dfd73cb)
Update QWEN.md with complete 5-phase architecture and results (7e13541)
Update QWEN.md with detailed Git history correction guide (f5784a2)
Update QWEN.md with implementation guide (b72167e)
Update SECURITY.md and CONTRIBUTING.md (273131f)
Update TODO.md with v1.0.0 completed items and future roadmap (5b2d723)

Miscellaneous Chores

release 0.6.1 (5c2f015)
release 0.7.0 (7299ab1)
release 0.8.0 (8c15238)

This PR was generated with Release Please. See documentation.

TPTBusiness · 2026-04-21T20:47:16Z

Closing: release-please state confused after manual tag deletion. v1.3.1 will be recreated manually.

…25-#30) - Fix py/path-injection (Alerts #25, #28, #29, #30 - High severity): - Add optional safe_root parameter to get_valid_sessions() in both finetune/llm/ui/data_loader.py and rl/ui/data_loader.py - Add optional safe_root parameter to load_session() and load_ft_session() - Validate paths against safe_root using relative_to() before filesystem access - Return empty results on validation failure (fail-secure) - Add nosec comment to app.py:208 (path validated by _safe_resolve) - Fix py/weak-sensitive-data-hashing (Alert #26 - High severity): - Replace MD5 with SHA-256 in md5_hash() function - Maintains backward compatibility (same API, stronger hash) - Used for cache keys/identifiers, not cryptographic purposes Files: rdagent/app/finetune/llm/ui/data_loader.py rdagent/app/rl/ui/data_loader.py rdagent/app/rl/ui/app.py rdagent/utils/__init__.py

…eQL sanitization Path injection (#22, #28, #29, #30): - Switch from Path.relative_to() to os.path.realpath() + str.startswith() in all four path-validation sites across finetune and rl UI data_loader.py and finetune app.py. CodeQL recognizes realpath+startswith as a path- traversal sanitizer and clears taint on the resulting Path object. - Also simplify finetune/app.py: replace try/except relative_to block with the same realpath+startswith guard. Missing workflow permissions (#32, #33, #34, #35): - Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml, and security.yml. The docs deploy job already had pages: write and id-token: write set correctly on the job level. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>