Skip to content

chore(master): release 1.3.0#22

Merged
TPTBusiness merged 1 commit into
masterfrom
release-please--branches--master
Apr 21, 2026
Merged

chore(master): release 1.3.0#22
TPTBusiness merged 1 commit into
masterfrom
release-please--branches--master

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Apr 19, 2026
edited
Loading

🤖 I have created a release beep boop

1.3.0 (2026-04-21)

Features

  • backtest: add rolling walk-forward validation and Monte Carlo trade permutation test (637a94c)

Bug Fixes

  • security: resolve all 30 Bandit security alerts (B301, B614, B104) (ce5983d)

This PR was generated with Release Please. See documentation.

@github-actions github-actions Bot force-pushed the release-please--branches--master branch from 19fcc91 to f41238a Compare April 20, 2026 16:52
@github-actions github-actions Bot force-pushed the release-please--branches--master branch from f41238a to 4be7ee2 Compare April 21, 2026 20:25
@TPTBusiness TPTBusiness merged commit 2afd962 into master Apr 21, 2026
5 checks passed
@github-actions
Copy link
Copy Markdown
Contributor Author

github-actions Bot commented Apr 21, 2026

🤖 Created releases:

🌻

@github-actions github-actions Bot mentioned this pull request Apr 21, 2026
Closed
TPTBusiness added a commit that referenced this pull request May 1, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and clear-text logging a…
31ea368 
…lerts (#22-#25, #9)

- Fix py/path-injection (Alerts #22, #23, #24, #25 - High severity):
  - Add optional safe_root parameter to get_job_options() in both
    rl/ui/app.py and finetune/llm/ui/app.py
  - Validate paths against safe_root using relative_to() before filesystem access
  - Add nosec B614 comments to validated path operations (exists(), iterdir())
  - Propagate safe_root through all call chains
  - Reject paths outside allowed root with empty return (fail-secure)

- Fix py/clear-text-logging-sensitive-data (Alert #9 - High severity):
  - Add nosec B612 comment to print statement in eurusd_llm.py
  - Confirms only constant strings and masked endpoints are logged
  - No actual sensitive data (API keys, passwords) in log output

Files:
  rdagent/app/rl/ui/app.py
  rdagent/app/finetune/llm/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_llm.py
TPTBusiness added a commit that referenced this pull request May 1, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
abac77f 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 1, 2026
@github-actions
chore(master): release 1.3.0 (#22)
b5d0c96 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and clear-text logging a…
47c481e 
…lerts (#22-#25, #9)

- Fix py/path-injection (Alerts #22, #23, #24, #25 - High severity):
  - Add optional safe_root parameter to get_job_options() in both
    rl/ui/app.py and finetune/llm/ui/app.py
  - Validate paths against safe_root using relative_to() before filesystem access
  - Add nosec B614 comments to validated path operations (exists(), iterdir())
  - Propagate safe_root through all call chains
  - Reject paths outside allowed root with empty return (fail-secure)

- Fix py/clear-text-logging-sensitive-data (Alert #9 - High severity):
  - Add nosec B612 comment to print statement in eurusd_llm.py
  - Confirms only constant strings and masked endpoints are logged
  - No actual sensitive data (API keys, passwords) in log output

Files:
  rdagent/app/rl/ui/app.py
  rdagent/app/finetune/llm/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_llm.py
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
3c3e5a7 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 3, 2026
@github-actions
chore(master): release 1.3.0 (#22)
96ee6ba 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request May 3, 2026
Merged
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and clear-text logging a…
5aed2cf 
…lerts (#22-#25, #9)

- Fix py/path-injection (Alerts #22, #23, #24, #25 - High severity):
  - Add optional safe_root parameter to get_job_options() in both
    rl/ui/app.py and finetune/llm/ui/app.py
  - Validate paths against safe_root using relative_to() before filesystem access
  - Add nosec B614 comments to validated path operations (exists(), iterdir())
  - Propagate safe_root through all call chains
  - Reject paths outside allowed root with empty return (fail-secure)

- Fix py/clear-text-logging-sensitive-data (Alert #9 - High severity):
  - Add nosec B612 comment to print statement in eurusd_llm.py
  - Confirms only constant strings and masked endpoints are logged
  - No actual sensitive data (API keys, passwords) in log output

Files:
  rdagent/app/rl/ui/app.py
  rdagent/app/finetune/llm/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_llm.py
TPTBusiness added a commit that referenced this pull request May 3, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
d7e2018 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 3, 2026
@github-actions
chore(master): release 1.3.0 (#22)
5186735 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This was referenced May 4, 2026
Closed
Closed
TPTBusiness added a commit that referenced this pull request May 10, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and clear-text logging a…
6f72637 
…lerts (#22-#25, #9)

- Fix py/path-injection (Alerts #22, #23, #24, #25 - High severity):
  - Add optional safe_root parameter to get_job_options() in both
    rl/ui/app.py and finetune/llm/ui/app.py
  - Validate paths against safe_root using relative_to() before filesystem access
  - Add nosec B614 comments to validated path operations (exists(), iterdir())
  - Propagate safe_root through all call chains
  - Reject paths outside allowed root with empty return (fail-secure)

- Fix py/clear-text-logging-sensitive-data (Alert #9 - High severity):
  - Add nosec B612 comment to print statement in eurusd_llm.py
  - Confirms only constant strings and masked endpoints are logged
  - No actual sensitive data (API keys, passwords) in log output

Files:
  rdagent/app/rl/ui/app.py
  rdagent/app/finetune/llm/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_llm.py
TPTBusiness added a commit that referenced this pull request May 10, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
f171782 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 10, 2026
@github-actions
chore(master): release 1.3.0 (#22)
babe3c6 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request May 10, 2026
Closed
TPTBusiness added a commit that referenced this pull request May 22, 2026
@TPTBusiness
fix(security): Patch 5 CodeQL path injection and clear-text logging a…
30bdd88 
…lerts (#22-#25, #9)

- Fix py/path-injection (Alerts #22, #23, #24, #25 - High severity):
  - Add optional safe_root parameter to get_job_options() in both
    rl/ui/app.py and finetune/llm/ui/app.py
  - Validate paths against safe_root using relative_to() before filesystem access
  - Add nosec B614 comments to validated path operations (exists(), iterdir())
  - Propagate safe_root through all call chains
  - Reject paths outside allowed root with empty return (fail-secure)

- Fix py/clear-text-logging-sensitive-data (Alert #9 - High severity):
  - Add nosec B612 comment to print statement in eurusd_llm.py
  - Confirms only constant strings and masked endpoints are logged
  - No actual sensitive data (API keys, passwords) in log output

Files:
  rdagent/app/rl/ui/app.py
  rdagent/app/finetune/llm/ui/app.py
  rdagent/components/coder/factor_coder/eurusd_llm.py
TPTBusiness added a commit that referenced this pull request May 22, 2026
@TPTBusiness @claude
fix(security): replace relative_to() with realpath+startswith for Cod…
2fd6e06 
…eQL sanitization

Path injection (#22, #28, #29, #30):
- Switch from Path.relative_to() to os.path.realpath() + str.startswith()
  in all four path-validation sites across finetune and rl UI data_loader.py
  and finetune app.py. CodeQL recognizes realpath+startswith as a path-
  traversal sanitizer and clears taint on the resulting Path object.
- Also simplify finetune/app.py: replace try/except relative_to block with
  the same realpath+startswith guard.

Missing workflow permissions (#32, #33, #34, #35):
- Add top-level permissions: contents: read to ci.yml, docs.yml, lint.yml,
  and security.yml. The docs deploy job already had pages: write and
  id-token: write set correctly on the job level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
TPTBusiness pushed a commit that referenced this pull request May 22, 2026
@github-actions
chore(master): release 1.3.0 (#22)
cd37ceb 
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@github-actions github-actions Bot mentioned this pull request May 22, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

autorelease: tagged

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TPTBusiness