phase G: data minimisation + passwordless auth + DeepSeek-first LLM

Server no longer holds portfolios. Holdings live in the browser (localStorage); the server publishes an anonymous ticker_universe and a gzipped /api/universe payload identical for every authenticated user, so access patterns can't betray which tickers a user holds. AI commentary is generated ephemerally from the browser-supplied pie and the cost ledger row records no positions. Migrations 0009-0011 added the universe table and dropped positions / portfolio_snapshots / portfolios. Authentication is now e-mail OTP only. Migration 0010 dropped password_hash and email_verified (every active session is by construction proof of email control). The /signup endpoint is gone; signup and login share a single email-entry page. Email rendering is HTML+plain-text multipart with a shared brand palette (app/branding.py) asserted in sync with the CSS by a drift-detection test. LLM provider defaults to DeepSeek-direct (cheaper, api.deepseek.com) with OpenRouter as automatic fallback if DeepSeek fails. ai_log_job and indicator_summary_job now iterate the two tones (NOVICE, INTERMEDIATE) per cycle so the dashboard's tone toggle is instant; PROMPT_VERSION bumped to 6 with an educational anti-TA / anti-gambling stance baked into _CORE. NOVICE mode renders a curated glossary inline (CBOE VIX, yield curve, HY OAS, etc.) with JS-positioned tooltips that survive viewport edges and sticky bars. Model name and tokens hidden from the user UI; still recorded in StrategicLog.model and AICall for admin. Layout adds a sticky top nav, a sticky bottom markets bar (one chip per exchange with status LED + headline index + 1d change), and Phase H feedback reporting is queued in tasks/todo.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 14:16:57 +01:00 · 2026-05-18 14:16:57 +01:00 · 6e7f57c6b2
commit 6e7f57c6b2
parent 480fd311c5
54 changed files with 5005 additions and 916 deletions
--- a/tests/test_pending_cookie.py
+++ b/tests/test_pending_cookie.py
@ -0,0 +1,34 @@
+"""Sign/verify roundtrip for the short-lived pending-verification cookie.
+
+The pending cookie carries the email + user_id under verification. It is
+NOT an auth cookie — never grants access beyond /verify and /verify/resend
+— so the only properties we test are: round-trips correctly, rejects bad
+signatures, and the salt is distinct from the session cookie's so a session
+cookie can never be mistaken for a pending cookie."""
+from __future__ import annotations
+
+from app import auth
+
+
+def test_pending_cookie_roundtrip():
+    cookie = auth.sign_pending("user@example.com", 42)
+    out = auth.verify_pending(cookie)
+    assert out == {"email": "user@example.com", "uid": 42}
+
+
+def test_pending_cookie_rejects_garbage():
+    assert auth.verify_pending("totally-bogus") is None
+    assert auth.verify_pending("") is None
+
+
+def test_pending_cookie_does_not_validate_as_session():
+    """Distinct salts: a pending-cookie value must not validate against the
+    session deserialiser. Otherwise an unverified user could feed their
+    pending cookie back as cassandra_session and bypass /verify."""
+    cookie = auth.sign_pending("user@example.com", 42)
+    assert auth.verify_session(cookie) is None
+
+
+def test_session_cookie_does_not_validate_as_pending():
+    cookie = auth.sign_session(7)
+    assert auth.verify_pending(cookie) is None