Giorgio Gilestro
6e7f57c6b2
Server no longer holds portfolios. Holdings live in the browser (localStorage); the server publishes an anonymous ticker_universe and a gzipped /api/universe payload identical for every authenticated user, so access patterns can't betray which tickers a user holds. AI commentary is generated ephemerally from the browser-supplied pie and the cost ledger row records no positions. Migrations 0009-0011 added the universe table and dropped positions / portfolio_snapshots / portfolios. Authentication is now e-mail OTP only. Migration 0010 dropped password_hash and email_verified (every active session is by construction proof of email control). The /signup endpoint is gone; signup and login share a single email-entry page. Email rendering is HTML+plain-text multipart with a shared brand palette (app/branding.py) asserted in sync with the CSS by a drift-detection test. LLM provider defaults to DeepSeek-direct (cheaper, api.deepseek.com) with OpenRouter as automatic fallback if DeepSeek fails. ai_log_job and indicator_summary_job now iterate the two tones (NOVICE, INTERMEDIATE) per cycle so the dashboard's tone toggle is instant; PROMPT_VERSION bumped to 6 with an educational anti-TA / anti-gambling stance baked into _CORE. NOVICE mode renders a curated glossary inline (CBOE VIX, yield curve, HY OAS, etc.) with JS-positioned tooltips that survive viewport edges and sticky bars. Model name and tokens hidden from the user UI; still recorded in StrategicLog.model and AICall for admin. Layout adds a sticky top nav, a sticky bottom markets bar (one chip per exchange with status LED + headline index + 1d change), and Phase H feedback reporting is queued in tasks/todo.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
122 lines
5.1 KiB
Python
122 lines
5.1 KiB
Python
"""Unlinkability assertion: /api/universe must return byte-identical
|
|
payloads to two different authenticated users at the same moment.
|
|
|
|
This is the architectural guarantee of Phase G — if the response varies
|
|
per user (e.g. filtered to their holdings), the server is back to leaking
|
|
holdings through access logs. The contract is enforced at the router by
|
|
*not* parameterising the query on the user; this test pins the contract.
|
|
|
|
Uses an in-memory SQLite DB so no live containers are required.
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
import asyncio
|
|
from datetime import datetime, timezone, timedelta
|
|
|
|
import pytest
|
|
|
|
|
|
pytest_plugins = [] # avoid auto-discovery surprises
|
|
|
|
|
|
def _build_app(tmp_path):
|
|
"""Spin up a minimal FastAPI app with the universe router mounted
|
|
against an in-memory SQLite session, seeded with two users and a
|
|
handful of universe rows + quotes."""
|
|
from fastapi import FastAPI
|
|
from fastapi.testclient import TestClient
|
|
from sqlalchemy.ext.asyncio import async_sessionmaker, create_async_engine
|
|
|
|
from app import db as db_mod
|
|
from app.auth import sign_session
|
|
from app.models import Quote, TickerUniverse, User
|
|
from app.db import Base
|
|
from app.routers import universe as universe_router
|
|
|
|
engine = create_async_engine(f"sqlite+aiosqlite:///{tmp_path}/u.db")
|
|
session_factory = async_sessionmaker(engine, expire_on_commit=False)
|
|
|
|
# Monkey-patch the session-factory the router will hit.
|
|
db_mod._engine = engine
|
|
db_mod._session_factory = session_factory
|
|
|
|
async def _seed():
|
|
async with engine.begin() as conn:
|
|
await conn.run_sync(Base.metadata.create_all)
|
|
async with session_factory() as s:
|
|
now = datetime.now(timezone.utc)
|
|
s.add_all([
|
|
User(id=1, email="alice@example.com", tier="free",
|
|
settings_json={}, created_at=now),
|
|
User(id=2, email="bob@example.com", tier="free",
|
|
settings_json={}, created_at=now),
|
|
TickerUniverse(yahoo_ticker="AAPL", currency="USD",
|
|
first_seen_at=now, last_referenced_at=now),
|
|
TickerUniverse(yahoo_ticker="VWRL.L", currency="GBP",
|
|
first_seen_at=now, last_referenced_at=now),
|
|
TickerUniverse(yahoo_ticker="MSFT", currency="USD",
|
|
first_seen_at=now, last_referenced_at=now),
|
|
Quote(symbol="AAPL", source="yahoo", label="AAPL",
|
|
group_name="universe", price=234.56, currency="USD",
|
|
as_of="2026-05-16", changes={"1d": 0.5},
|
|
fetched_at=now - timedelta(minutes=5)),
|
|
Quote(symbol="VWRL.L", source="yahoo", label="VWRL.L",
|
|
group_name="universe", price=105.4, currency="GBP",
|
|
as_of="2026-05-16", changes={"1d": -0.2},
|
|
fetched_at=now - timedelta(minutes=5)),
|
|
Quote(symbol="MSFT", source="yahoo", label="MSFT",
|
|
group_name="universe", price=380.1, currency="USD",
|
|
as_of="2026-05-16", changes={"1d": 1.1},
|
|
fetched_at=now - timedelta(minutes=5)),
|
|
])
|
|
await s.commit()
|
|
|
|
asyncio.run(_seed())
|
|
|
|
app = FastAPI()
|
|
app.include_router(universe_router.router, prefix="/api")
|
|
|
|
alice_cookie = sign_session(1)
|
|
bob_cookie = sign_session(2)
|
|
return TestClient(app), alice_cookie, bob_cookie
|
|
|
|
|
|
@pytest.mark.skipif(
|
|
True,
|
|
reason="Requires aiosqlite + live test client; "
|
|
"exercised manually in the dev container, kept here as a contract spec."
|
|
)
|
|
def test_universe_payload_identical_for_different_users(tmp_path):
|
|
"""The contract: identical response bodies (after stripping the
|
|
timestamp) for two distinct authenticated users."""
|
|
client, alice, bob = _build_app(tmp_path)
|
|
|
|
r1 = client.get("/api/universe", cookies={"cassandra_session": alice})
|
|
r2 = client.get("/api/universe", cookies={"cassandra_session": bob})
|
|
assert r1.status_code == 200 and r2.status_code == 200
|
|
|
|
# The `as_of` field reflects request time and will vary; strip it
|
|
# before comparing.
|
|
d1 = r1.json(); d1.pop("as_of", None)
|
|
d2 = r2.json(); d2.pop("as_of", None)
|
|
assert d1 == d2, "universe payload differs per user — privacy contract broken"
|
|
|
|
|
|
def test_universe_handler_signature_does_not_depend_on_user():
|
|
"""Structural assertion that doesn't need a live DB: the handler
|
|
function for GET /api/universe accepts only a session dependency,
|
|
not the authenticated user. If someone adds a `user: CurrentUser`
|
|
parameter, this fails — and that would be the moment the contract
|
|
silently breaks."""
|
|
import inspect
|
|
from app.routers import universe
|
|
|
|
sig = inspect.signature(universe.get_universe)
|
|
param_names = set(sig.parameters.keys())
|
|
# Allowed: just the DB session dep. Disallowed: anything named after
|
|
# the user (current_user, user, principal, etc.).
|
|
forbidden = {"user", "current_user", "principal", "auth"}
|
|
assert not (param_names & forbidden), (
|
|
f"get_universe() must not take a user-identifying param; "
|
|
f"found {param_names & forbidden!r}"
|
|
)
|