Skip to content

v0.1.7 — Security boundary hardening + research workflow polish

Choose a tag to compare

View all tags
@warren618 warren618 released this 06 May 12:11
· 248 commits to main since this release
v0.1.7
488abd9

🛡️ v0.1.7 — Security boundary hardening + research workflow polish

v0.1.7 is a security-focused maintenance release for Vibe-Trading. It strengthens the default API, file, URL, generated-code, shell-tool, Docker, CLI/Web, and MCP/ClawHub boundaries while preserving the low-friction localhost workflow for normal CLI and Web UI users.

This release is available on PyPI, ClawHub, and GitHub Releases.

pip install -U vibe-trading-ai
# or
uv tool install --reinstall vibe-trading-ai

Highlights

🛡️ Security boundary hardening

The main goal of this release is to make Vibe-Trading safer by default without turning local research workflows into configuration work.

  • API authentication and read protection: non-local API use is now much stricter by default, and sensitive run/session/swarm read paths are protected consistently.
  • Upload and local-file boundaries: upload handling and local file-reading tools now use tighter path/type boundaries, with regression tests covering the previously risky paths.
  • Document and URL readers: local document reads and outbound URL reads now enforce stronger safety checks.
  • Shell-capable tools: shell execution tools are gated by entry point / explicit opt-in, reducing accidental exposure in Web/API/Docker/MCP deployments.
  • Generated strategy loading: generated backtest and Shadow Account strategy code is validated before execution/import.
  • Docker baseline: the runtime image now runs as a non-root vibe user, and Docker Compose defaults are localhost-first.
  • Durability: the hardening is backed by regression tests across auth, upload, path safety, document reading, web reading, tool registry, backtest loading, and Shadow Account codegen.

Thanks to lemi9090 (S2W) for the coordinated security report and fast validation of the fix coverage before release.

⚙️ Web UI Settings

New Settings surfaces make provider/model, base URL, reasoning effort, and data-source credential state manageable from the Web UI, backed by local/auth-protected settings APIs and data-driven provider metadata. (#57)

🔥 Correlation heatmap

The new correlation dashboard/API computes rolling return correlations and renders an ECharts heatmap for portfolio and symbol analysis. Follow-up fixes aligned the frontend proxy and PR review blockers. (#64, #66)

🔐 OpenAI Codex OAuth provider

Vibe-Trading now supports the OpenAI Codex provider via ChatGPT OAuth login (vibe-trading provider login openai-codex), with Settings metadata and provider adapter tests. (#65)

🧭 A-share pre-ST filter skill

New ashare-pre-st-filter skill for A-share ST/*ST risk screening, with follow-up relevance filtering so securities-account list mentions do not inflate E2 penalty counts. (#63)

🖥️ Interactive CLI UX

Interactive mode now has a live bottom status bar for provider/model, session duration, last-run latency, and cumulative tool-call stats, plus prompt history navigation and cursor editing through prompt_toolkit. (#69)

🧩 Swarm preset inspection

vibe-trading --swarm-inspect <preset> and related plumbing make it easier to inspect swarm presets before running multi-agent workflows. (#73)

📈 Dividend analysis skill

Added the dividend-analysis bundled skill for income stocks, payout sustainability, dividend growth, shareholder yield, ex-dividend mechanics, and yield-trap checks.

🧰 Local dev workflow

Added a one-command local dev workflow through scripts/dev up|open|logs|stop, plus Codespaces support and frontend/backend dev ergonomics. This is intended to make clean local testing and demos much easier.

0.1.7 maintenance

  • Release metadata: PyPI package, CLI banner, Web UI footer, Docker OCI labels, and ClawHub manifest are synced to 0.1.7.
  • CLI: vibe-trading --version now reports the installed version.
  • ClawHub: manifest now reflects 74 bundled finance skills and the current MCP command surface.
  • Frontend build deps: raised vite, postcss, and related lockfile floors to audited patched versions.
  • Docs: README news was refreshed across all language variants before this release, while older entries remain collapsed.
  • Tests: focused security, CLI, registry, packaging, and frontend build checks passed before publishing.

Install / upgrade

Channel Command
PyPI pip install -U vibe-trading-ai
uv tool uv tool install --reinstall vibe-trading-ai
ClawHub (Claude Desktop / OpenClaw / MCP clients) clawhub install vibe-trading or update the installed skill
Docker docker compose pull && docker compose up -d

Remote API/Web deployments should set API_AUTH_KEY and explicit trusted CORS origins. Local CLI and localhost Web UI workflows remain low-friction.

By the numbers

  • 26 commits since v0.1.6
  • 8 merged PRs
  • 25 default agent tools, with 22 exposed through MCP
  • 74 bundled finance skills (+ user-created skills)
  • 29 swarm presets
  • 6 data sources with auto-fallback: tushare, yfinance, okx, akshare, ccxt, futu
  • 7 backtest engines + options portfolio
  • 14 LLM providers

🙌 Contributors

Thanks to everyone who contributed code, docs, reports, review, and validation in this cycle:

  • @GTC2080 / TaoMu — Web UI Settings and provider/data-source configuration APIs (#57)
  • @BigNounce90 — validation CLI hardening for backtest run_dir input (#60)
  • @shadowinlife — A-share pre-ST filter skill (#63)
  • @MB-Ndhlovu — correlation heatmap dashboard and review fixes (#64, #66)
  • @ykykj — OpenAI Codex OAuth provider option (#65)
  • @RuifengFu — interactive CLI live status bar and prompt editing (#69)
  • @SiMinus — swarm preset inspection command (#73)
  • @warren618 / Haozhe Wu — security hardening, release integration, docs, Docker, packaging, and local dev workflow
  • lemi9090 (S2W) — coordinated security research, validation, and disclosure support

Changelog

Full changes: v0.1.6...v0.1.7

Merged PRs since v0.1.6 (8)
  • #73 feat: add swarm preset inspection command — @SiMinus
  • #69 feat(cli): add live streaming status indicator and arrow-key navigation to interactive mode — @RuifengFu
  • #66 Feat/correlation heatmap — @MB-Ndhlovu
  • #65 feat: add OpenAI OAuth provider option — @ykykj
  • #64 Feat/correlation heatmap — @MB-Ndhlovu
  • #63 feat(skill): add ashare-pre-st-filter — A股 ST/*ST 风险预测框架 — @shadowinlife
  • #60 fix: validate backtest run_dir CLI input — @BigNounce90
  • #57 feat: add model and data source settings UI — @GTC2080
All commits since v0.1.6 (26)
  • 488abd9 chore(release): prepare 0.1.7 — Haozhe Wu
  • d5558eb chore: add local dev workflow — Haozhe Wu
  • dfc5c14 feat: add swarm preset inspection command (#73) — SiMinus
  • e07cdc9 Harden supplemental security boundaries — Haozhe Wu
  • 2cf19b6 docs: collapse older readme news — Haozhe Wu
  • 292b673 docs: refresh readme news for cli ux — Haozhe Wu
  • bb67dc7 fix(tests): align CI path expectations — Haozhe Wu
  • 64da282 Merge pull request #69 from RuifengFu/feat/cli-ux-improvements — Haozhe Wu
  • bf084b3 Harden API and tool security defaults — Haozhe Wu
  • 3d171dc feat(cli): add live status bar and arrow key navigation — RuifengFu
  • f0c3eb6 docs: refresh readme news and roadmap — Haozhe Wu
  • 9501baf feat(skills): add dividend analysis skill — Haozhe Wu
  • 7452610 fix(frontend): proxy correlation endpoint — Haozhe Wu
  • eb5eda8 Merge pull request #66 from MB-Ndhlovu/feat/correlation-heatmap — Haozhe Wu
  • b95bb41 docs: sync multilingual news updates — Haozhe Wu
  • 0b95d68 feat: add correlation heatmap dashboard (#64) — MB-Ndhlovu
  • dea99ec feat: add OpenAI Codex OAuth provider option (#65) — ykj@hku
  • 3c9577f fix correlation PR review blockers — Malibongwe Ndhlovu
  • b22ca78 fix(skill): harden ashare penalty relevance filtering — Haozhe Wu
  • 968b649 feat(skill): add ashare pre-ST filter — shadowinlife
  • bbbef46 feat: cross-asset correlation heatmap dashboard — Malibongwe Ndhlovu
  • 8520bfe fix(cli): remove broken rich.box import — Malibongwe Ndhlovu
  • 7259b42 fix(cli): remove broken rich.box import — Malibongwe Ndhlovu
  • 3ccfa10 docs: sync README updates for settings UI and validation CLI — Haozhe Wu
  • 282c881 fix: validate backtest run_dir CLI input (#60) — BigNounce
  • a015452 feat: add model and data source settings UI (#57) — TaoMu

Validation before publishing

  • PyPI upload completed and vibe-trading-ai==0.1.7 was installed from PyPI in a clean venv.
  • ClawHub vibe-trading@0.1.7 is published and marked latest.
  • Docker image label and runtime user were verified (0.1.7, non-root vibe).
  • Focused security and CLI/registry tests passed.
  • Frontend production build passed.
  • npm audit --audit-level=moderate returned 0 vulnerabilities.
  • twine check passed for both wheel and sdist.

Contributors

shadowinlife, RuifengFu, and 6 other contributors
Assets 4
Loading