Skip to content

chore(master): release 1.3.3#30

Merged
TPTBusiness merged 1 commit into
masterfrom
release-please--branches--master
Apr 25, 2026
Merged

chore(master): release 1.3.3#30
TPTBusiness merged 1 commit into
masterfrom
release-please--branches--master

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Apr 24, 2026
edited
Loading

🤖 I have created a release beep boop

1.3.3 (2026-04-25)

Bug Fixes

  • backtest: replace broken MC permutation test with binomial win-rate test (c38d894)
  • factors: detect and correct look-ahead bias in daily-constant factors (eb490a4)
  • factors: extend look-ahead rules to session factors and add intraday-factor guidance (c24c100)
  • loop: compress old experiment history in proposal prompt to reduce context size (4bf90a9)
  • strategies: guard against None IC in acceptance check, disable slow wf_rolling (2197f52)
  • strategies: handle None ic/sharpe/dd in rejected strategy log output (ad2ad3a)

This PR was generated with Release Please. See documentation.

@github-actions github-actions Bot force-pushed the release-please--branches--master branch from c51e452 to 80ef7e4 Compare April 24, 2026 07:37
@github-actions github-actions Bot force-pushed the release-please--branches--master branch from 80ef7e4 to 86f1e40 Compare April 24, 2026 07:56
@github-actions github-actions Bot force-pushed the release-please--branches--master branch from 86f1e40 to 0fee93e Compare April 25, 2026 07:14
@TPTBusiness TPTBusiness merged commit 404cd81 into master Apr 25, 2026
5 checks passed
TPTBusiness added a commit that referenced this pull request May 1, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and weak hashing alerts (#…
f03821a 
…25-#30)

- Fix py/path-injection (Alerts #25, #28, #29, #30 - High severity):
  - Add optional safe_root parameter to get_valid_sessions() in both
    finetune/llm/ui/data_loader.py and rl/ui/data_loader.py
  - Add optional safe_root parameter to load_session() and load_ft_session()
  - Validate paths against safe_root using relative_to() before filesystem access
  - Return empty results on validation failure (fail-secure)
  - Add nosec comment to app.py:208 (path validated by _safe_resolve)

- Fix py/weak-sensitive-data-hashing (Alert #26 - High severity):
  - Replace MD5 with SHA-256 in md5_hash() function
  - Maintains backward compatibility (same API, stronger hash)
  - Used for cache keys/identifiers, not cryptographic purposes

Files:
  rdagent/app/finetune/llm/ui/data_loader.py
  rdagent/app/rl/ui/data_loader.py
  rdagent/app/rl/ui/app.py
  rdagent/utils/__init__.py
TPTBusiness added a commit that referenced this pull request May 1, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
abac77f 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 1, 2026
@github-actions
chore(master): release 1.3.3 (#30)
a42c7b3 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and weak hashing alerts (#…
12efb05 
…25-#30)

- Fix py/path-injection (Alerts #25, #28, #29, #30 - High severity):
  - Add optional safe_root parameter to get_valid_sessions() in both
    finetune/llm/ui/data_loader.py and rl/ui/data_loader.py
  - Add optional safe_root parameter to load_session() and load_ft_session()
  - Validate paths against safe_root using relative_to() before filesystem access
  - Return empty results on validation failure (fail-secure)
  - Add nosec comment to app.py:208 (path validated by _safe_resolve)

- Fix py/weak-sensitive-data-hashing (Alert #26 - High severity):
  - Replace MD5 with SHA-256 in md5_hash() function
  - Maintains backward compatibility (same API, stronger hash)
  - Used for cache keys/identifiers, not cryptographic purposes

Files:
  rdagent/app/finetune/llm/ui/data_loader.py
  rdagent/app/rl/ui/data_loader.py
  rdagent/app/rl/ui/app.py
  rdagent/utils/__init__.py
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
3c3e5a7 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 3, 2026
@github-actions
chore(master): release 1.3.3 (#30)
f93e567 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request May 3, 2026
Merged
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and weak hashing alerts (#…
e188333 
…25-#30)

- Fix py/path-injection (Alerts #25, #28, #29, #30 - High severity):
  - Add optional safe_root parameter to get_valid_sessions() in both
    finetune/llm/ui/data_loader.py and rl/ui/data_loader.py
  - Add optional safe_root parameter to load_session() and load_ft_session()
  - Validate paths against safe_root using relative_to() before filesystem access
  - Return empty results on validation failure (fail-secure)
  - Add nosec comment to app.py:208 (path validated by _safe_resolve)

- Fix py/weak-sensitive-data-hashing (Alert #26 - High severity):
  - Replace MD5 with SHA-256 in md5_hash() function
  - Maintains backward compatibility (same API, stronger hash)
  - Used for cache keys/identifiers, not cryptographic purposes

Files:
  rdagent/app/finetune/llm/ui/data_loader.py
  rdagent/app/rl/ui/data_loader.py
  rdagent/app/rl/ui/app.py
  rdagent/utils/__init__.py
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
d7e2018 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 3, 2026
@github-actions
chore(master): release 1.3.3 (#30)
bb9cbb3 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This was referenced May 4, 2026
Closed
Closed
TPTBusiness added a commit that referenced this pull request May 10, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and weak hashing alerts (#…
cd0a2e9 
…25-#30)

- Fix py/path-injection (Alerts #25, #28, #29, #30 - High severity):
  - Add optional safe_root parameter to get_valid_sessions() in both
    finetune/llm/ui/data_loader.py and rl/ui/data_loader.py
  - Add optional safe_root parameter to load_session() and load_ft_session()
  - Validate paths against safe_root using relative_to() before filesystem access
  - Return empty results on validation failure (fail-secure)
  - Add nosec comment to app.py:208 (path validated by _safe_resolve)

- Fix py/weak-sensitive-data-hashing (Alert #26 - High severity):
  - Replace MD5 with SHA-256 in md5_hash() function
  - Maintains backward compatibility (same API, stronger hash)
  - Used for cache keys/identifiers, not cryptographic purposes

Files:
  rdagent/app/finetune/llm/ui/data_loader.py
  rdagent/app/rl/ui/data_loader.py
  rdagent/app/rl/ui/app.py
  rdagent/utils/__init__.py
TPTBusiness added a commit that referenced this pull request May 10, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
f171782 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 10, 2026
@github-actions
chore(master): release 1.3.3 (#30)
ce754c0 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request May 10, 2026
Closed
TPTBusiness added a commit that referenced this pull request May 22, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and weak hashing alerts (#…
e3a40de 
…25-#30)

- Fix py/path-injection (Alerts #25, #28, #29, #30 - High severity):
  - Add optional safe_root parameter to get_valid_sessions() in both
    finetune/llm/ui/data_loader.py and rl/ui/data_loader.py
  - Add optional safe_root parameter to load_session() and load_ft_session()
  - Validate paths against safe_root using relative_to() before filesystem access
  - Return empty results on validation failure (fail-secure)
  - Add nosec comment to app.py:208 (path validated by _safe_resolve)

- Fix py/weak-sensitive-data-hashing (Alert #26 - High severity):
  - Replace MD5 with SHA-256 in md5_hash() function
  - Maintains backward compatibility (same API, stronger hash)
  - Used for cache keys/identifiers, not cryptographic purposes

Files:
  rdagent/app/finetune/llm/ui/data_loader.py
  rdagent/app/rl/ui/data_loader.py
  rdagent/app/rl/ui/app.py
  rdagent/utils/__init__.py
TPTBusiness added a commit that referenced this pull request May 22, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
2fd6e06 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 22, 2026
@github-actions
chore(master): release 1.3.3 (#30)
2235710 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request May 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

autorelease: tagged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TPTBusiness