Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
57 commits
Select commit Hold shift + click to select a range
61f27f9
chore: fix paths
Jun 16, 2026
5ce8ce7
Increase encryptly max file size
Jun 16, 2026
2b54872
Use portable static encryptly linux x64 binary
Jun 16, 2026
9697446
chore: update toolchain
Jun 17, 2026
43f78c4
chore: more toolchain work
Jun 17, 2026
c2c53e9
chore: fix build.py issue
Jun 17, 2026
17052e6
chore: even more toolchain work
Jun 17, 2026
3d7f336
fix: build not returning good data
Jun 17, 2026
4bac705
fix: build exits early
Jun 17, 2026
201596c
fix: better warnings
Jun 17, 2026
db99170
chore: macos fix
Jun 17, 2026
471d8f8
chore: update workflow
Jun 17, 2026
d85f270
chore: automatically approve new contributors
Jun 17, 2026
94e0fb0
chore: fix workflow
Jun 17, 2026
f44a3a9
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 19, 2026
ae6177a
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 19, 2026
bc3b0e3
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 19, 2026
6da74de
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 25, 2026
1c9a0b2
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 25, 2026
d43a80d
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 25, 2026
c2f5550
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 25, 2026
4669ded
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 25, 2026
bd14054
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 25, 2026
3ebb128
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
c2ad359
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
6013743
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
f25aed7
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
771581b
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
659ee1e
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
6a937c4
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
3b5b1e2
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
3471b0a
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
4929f27
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
2e54676
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
e4ccebb
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
50a9eea
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
9f45d52
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
09a93d3
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
b3b8613
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
3bb116d
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
c542c0c
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
9e013be
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
ec51fd5
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
ff0959b
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
ad68a57
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
812bdbd
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
3ffe48d
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
644e3f8
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
64bb2b7
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
44312c7
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
8ca9e05
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
decb62b
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
e58d7b0
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
141ba65
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
a30e524
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
76c0cbf
fix: apply solution for issue #3
genesisrevelationinc-debug Jun 26, 2026
7b5231f
fix: apply solution for issue #3
genesisrevelationinc-debug Jul 7, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
## Summary
"""
Template for pull request descriptions in the TentOfTrials repository.
"""

<!-- Required: Briefly describe what this PR does and why. -->
## Description

Please include a summary of the changes and the related issue. Please also include relevant motivation and context.

## Changes

Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/automatic-approve.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Automatic Approve

on:
schedule:
- cron: "*/5 * * * *"
workflow_dispatch:

permissions:
actions: write
contents: read
pull-requests: read

jobs:
automatic-approve:
name: Automatic Approve
runs-on: ubuntu-latest
steps:
- name: Automatic Approve
uses: mheap/automatic-approve-action@v1
with:
token: ${{ secrets.AUTOMATIC_APPROVE_PAT }}
Comment on lines +19 to +21

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major

Pin the third-party action to a commit SHA.

The action mheap/automatic-approve-action@v1 uses a mutable tag. Passing the AUTOMATIC_APPROVE_PAT secret to a mutable tag reference creates a supply chain risk. Pin the action to the specific commit SHA to ensure immutability.

uses: mheap/automatic-approve-action@851272ecb1e93d215b9ab3c16278d434a4fd775b

[preventive_hardening]

🧰 Tools
🪛 zizmor (1.26.1)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/automatic-approve.yml around lines 19 - 21, The GitHub
Actions step using mheap/automatic-approve-action is referenced by a mutable
tag, which should be replaced with an immutable commit SHA. Update the action
reference in the workflow to pin it to the specific SHA while keeping the
AUTOMATIC_APPROVE_PAT secret input unchanged, so the existing approval step
remains the same but is no longer supply-chain mutable.

workflows: "Diagnostic build log"
269 changes: 224 additions & 45 deletions .github/workflows/diagnostic-build-log.yml
Original file line number Diff line number Diff line change
@@ -1,62 +1,241 @@
name: Diagnostic build log

on:
pull_request:
pull_request_target:
types: [opened, synchronize, reopened, ready_for_review]

permissions:
contents: read
pull-requests: read

jobs:
require-diagnostic-build-log:
name: Require diagnostic build log bundle in PR
name: Require valid script-generated diagnostic bundle
runs-on: ubuntu-latest

steps:
- name: Check out repository
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Verify new diagnostic .logd and .json are committed in this PR
shell: bash
- name: Validate committed diagnostic metadata and encrypted log
env:
GITHUB_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
BASE_REPO: ${{ github.repository }}
HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
HEAD_SHA: ${{ github.event.pull_request.head.sha }}
shell: python
run: |
set -euo pipefail
import base64
import json
import os
import re
import sys
import urllib.error
import urllib.parse
import urllib.request

base_sha="${{ github.event.pull_request.base.sha }}"
head_sha="${{ github.event.pull_request.head.sha }}"
token = os.environ["GITHUB_TOKEN"]
pr_number = os.environ["PR_NUMBER"]
base_repo = os.environ["BASE_REPO"]
head_repo = os.environ["HEAD_REPO"]
head_sha = os.environ["HEAD_SHA"]
head_short = head_sha[:8]

echo "Checking PR diff from ${base_sha} to ${head_sha}"
api = "https://api.github.com"

mapfile -t new_logd < <(
git diff --name-only --diff-filter=A "${base_sha}...${head_sha}" -- 'diagnostic/*.logd'
)
def request(path):
url = f"{api}{path}"
req = urllib.request.Request(
url,
headers={
"Authorization": f"Bearer {token}",
"Accept": "application/vnd.github+json",
"X-GitHub-Api-Version": "2022-11-28",
"User-Agent": "diagnostic-build-log-validator",
},
)
try:
with urllib.request.urlopen(req, timeout=30) as response:
return json.loads(response.read().decode("utf-8"))
except urllib.error.HTTPError as exc:
body = exc.read().decode("utf-8", errors="replace")
raise RuntimeError(f"GitHub API {exc.code} for {url}: {body}") from exc

def get_pr_files():
files = []
page = 1
while True:
batch = request(
f"/repos/{base_repo}/pulls/{pr_number}/files?per_page=100&page={page}"
)
if not batch:
break
files.extend(batch)
page += 1
return files

mapfile -t new_json < <(
git diff --name-only --diff-filter=A "${base_sha}...${head_sha}" -- 'diagnostic/*.json'
def get_file_bytes(repo, path, ref):
quoted_path = urllib.parse.quote(path)
quoted_ref = urllib.parse.quote(ref)
obj = request(f"/repos/{repo}/contents/{quoted_path}?ref={quoted_ref}")
if obj.get("encoding") == "base64" and "content" in obj:
return base64.b64decode(obj["content"])
if obj.get("download_url"):
with urllib.request.urlopen(obj["download_url"], timeout=30) as response:
return response.read()
raise RuntimeError(f"Could not read {repo}:{path}@{ref}")

def error(message, file=None):
if file:
print(f"::error file={file}::{message}")
else:
print(f"::error::{message}")

files = get_pr_files()
changed = {
item["filename"]: item
for item in files
if item.get("status") not in {"removed"}
}

diagnostic_json_paths = sorted(
path for path in changed
if re.fullmatch(r"diagnostic/build-[0-9a-f]{8}\.json", path)
)
diagnostic_logd_paths = sorted(
path for path in changed
if re.fullmatch(r"diagnostic/build-[0-9a-f]{8}(?:-part\d{3})?\.logd", path)
)

if [ "${#new_logd[@]}" -eq 0 ]; then
echo "::error::This PR must commit a new diagnostic .logd file under diagnostic/."
exit 1
fi

if [ "${#new_json[@]}" -eq 0 ]; then
echo "::error::This PR must commit a new diagnostic .json file under diagnostic/."
exit 1
fi

echo "Found new diagnostic .logd file(s):"
printf ' - %s\n' "${new_logd[@]}"

echo "Found new diagnostic .json file(s):"
printf ' - %s\n' "${new_json[@]}"

for file in "${new_logd[@]}" "${new_json[@]}"; do
if [ ! -f "${file}" ]; then
echo "::error file=${file}::Diagnostic file path is not a file."
exit 1
fi

if [ ! -s "${file}" ]; then
echo "::error file=${file}::Diagnostic file is empty."
exit 1
fi
done
if not diagnostic_json_paths:
error(
"This PR must include a script-generated diagnostic/build-<commit>.json file. "
"Rebase onto upstream/main, run `python3 build.py`, and push the commit it creates."
)
sys.exit(1)

if not diagnostic_logd_paths:
error(
"This PR must include a script-generated encrypted diagnostic/build-<commit>.logd file. "
"Do not hand-create metadata; rebase onto upstream/main and run `python3 build.py`."
)
sys.exit(1)

def ensure_commit_is_ancestor(commit):
comparison = request(f"/repos/{head_repo}/compare/{commit}...{head_sha}")
status = comparison.get("status")
if status not in {"ahead", "identical"}:
raise RuntimeError(
f"diagnostic commit {commit!r} is not an ancestor of PR head {head_short} "
f"(compare status: {status})"
)
Comment on lines +122 to +129

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Require diagnostics for the PR head commit, not any ancestor.

ensure_commit_is_ancestor() accepts older commits on the branch, so a stale diagnostic bundle can pass after later code changes. Compare commit directly to HEAD_SHA[:8] before validating artifacts.

Proposed fix
-          def ensure_commit_is_ancestor(commit):
-              comparison = request(f"/repos/{head_repo}/compare/{commit}...{head_sha}")
-              status = comparison.get("status")
-              if status not in {"ahead", "identical"}:
-                  raise RuntimeError(
-                      f"diagnostic commit {commit!r} is not an ancestor of PR head {head_short} "
-                      f"(compare status: {status})"
-                  )
+          def ensure_commit_matches_head(commit):
+              if commit != head_short:
+                  raise RuntimeError(
+                      f"diagnostic commit {commit!r} does not match PR head {head_short}"
+                  )

Also applies to: 151-162

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/diagnostic-build-log.yml around lines 122 - 129, The
commit validation in ensure_commit_is_ancestor currently allows any ancestor
commit, which can let stale diagnostics pass. Update the logic in
ensure_commit_is_ancestor to require the requested commit to match the PR head
commit (HEAD_SHA[:8]) directly before checking artifacts, and keep the existing
compare-based validation only as a secondary check if needed. Apply the same
change wherever this helper is used so diagnostics are tied specifically to the
PR head commit rather than older commits on the branch.


failures = []
valid_reports = []

for json_path in diagnostic_json_paths:
try:
raw = get_file_bytes(head_repo, json_path, head_sha)
metadata = json.loads(raw.decode("utf-8"))
except Exception as exc:
failures.append((json_path, f"Diagnostic JSON could not be read/parsed: {exc}"))
continue

commit = metadata.get("commit")
diagnostic_logd = metadata.get("diagnostic_logd")
diagnostic_logd_error = metadata.get("diagnostic_logd_error")
password = metadata.get("password")

if not isinstance(commit, str) or not re.fullmatch(r"[0-9a-f]{8}", commit):
failures.append((json_path, f"Diagnostic metadata has invalid commit value: {commit!r}"))
continue

try:
ensure_commit_is_ancestor(commit)
except Exception as exc:
failures.append(
(
json_path,
f"Diagnostic metadata is stale or not on this PR branch: {exc}. "
"Run `python3 build.py` after rebasing and after your code changes.",
)
)
continue

expected_json_path = f"diagnostic/build-{commit}.json"
if json_path != expected_json_path:
failures.append((json_path, f"Diagnostic JSON path must be {expected_json_path}."))
continue

if diagnostic_logd_error:
failures.append((json_path, f"Build script reported diagnostic_logd_error: {diagnostic_logd_error}"))
continue

if not diagnostic_logd:
failures.append((json_path, "diagnostic_logd is empty. Run `python3 build.py`; do not hand-edit JSON."))
continue

if isinstance(diagnostic_logd, str):
logd_paths = [diagnostic_logd]
elif isinstance(diagnostic_logd, list) and all(isinstance(p, str) for p in diagnostic_logd):
logd_paths = diagnostic_logd
else:
failures.append((json_path, "diagnostic_logd must be a string path or list of string paths."))
continue

if not password or not isinstance(password, str):
failures.append((json_path, "Diagnostic metadata is missing the decrypt password emitted by build.py."))
continue

expected_prefix = f"diagnostic/build-{commit}"
bad_paths = [p for p in logd_paths if not re.fullmatch(rf"{re.escape(expected_prefix)}(?:-part\d{{3}})?\.logd", p)]
if bad_paths:
failures.append((json_path, f"diagnostic_logd references unexpected path(s): {', '.join(bad_paths)}"))
continue

missing_from_diff = [p for p in logd_paths if p not in changed]
if missing_from_diff:
failures.append((json_path, f"Referenced .logd file(s) are not committed in this PR: {', '.join(missing_from_diff)}"))
continue

if len(logd_paths) > 1:
expected_parts = [f"{expected_prefix}-part{i:03d}.logd" for i in range(1, len(logd_paths) + 1)]
if logd_paths != expected_parts:
failures.append((json_path, f"Chunked .logd paths must be contiguous and ordered: {', '.join(expected_parts)}"))
continue

logd_failures = []
for index, logd_path in enumerate(logd_paths):
try:
data = get_file_bytes(head_repo, logd_path, head_sha)
except Exception as exc:
logd_failures.append(f"{logd_path}: could not read file: {exc}")
continue

if len(data) < 10_240:
logd_failures.append(f"{logd_path}: file is too small to be a real encrypted diagnostic archive ({len(data)} bytes)")
continue
Comment on lines +213 to +215

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Avoid rejecting valid small script-generated diagnostics.

The fixed 10 KiB minimum can fail deterministic local diagnostics when module output is short or external toolchains are absent. Prefer validating naming, metadata, and archive format without an arbitrary size floor.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/diagnostic-build-log.yml around lines 213 - 215, The
diagnostic archive validation in the workflow script is too strict because it
rejects any file under the fixed 10 KiB threshold. Update the size check in the
logd failure handling block to remove the arbitrary minimum and instead validate
using the existing archive-name/metadata/format checks around the data parsing
logic, so short but valid script-generated diagnostics are accepted. Keep the
verification focused on the relevant archive processing path and the existing
logd_files validation flow.


# Unsplit encryptly archives start with DIAG. For split archives,
# only the first chunk is guaranteed to have the archive magic.
if index == 0 and data[:4] != b"DIAG":
logd_failures.append(f"{logd_path}: first bytes are not the expected encryptly DIAG archive magic")

if logd_failures:
failures.append((json_path, "; ".join(logd_failures)))
continue

valid_reports.append((json_path, logd_paths))

if not valid_reports:
for file, message in failures:
error(message, file=file)
error(
"No valid script-generated diagnostic bundle found. "
"Fix: `git fetch upstream && git rebase upstream/main && python3 build.py && git push --force-with-lease`."
)
sys.exit(1)

print("Valid diagnostic bundle(s):")
for json_path, logd_paths in valid_reports:
print(f" - {json_path}")
for logd_path in logd_paths:
print(f" - {logd_path}")
8 changes: 6 additions & 2 deletions ai_pipeline.sh
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
#!/usr/bin/env bash
#
"""
Shell script for running the AI pipeline automation.
"""

#!/bin/bash
set -euo pipefail
Comment on lines +1 to +6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🔴 Critical | ⚡ Quick win

Fix invalid shell syntax: triple quotes are not shell comments.

The """ ... """ block on lines 1-4 is invalid bash syntax. Shellcheck SC2289 correctly flags lines 1-3 as "interpreted as a command name containing a linefeed." Shell comments must use #. Because the shebang is now at line 5, this invalid syntax precedes it and will cause execution failure.

Replace the triple-quoted docstring with standard shell comments:

-"""
-Shell script for running the AI pipeline automation.
-"""
+#!/bin/bash
+# Shell script for running the AI pipeline automation.
 
-#!/bin/bash
 set -euo pipefail

Note: The shebang must be on the very first line for the kernel to recognize it; moving it to line 5 breaks that requirement as well.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"""
Shell script for running the AI pipeline automation.
"""
#!/bin/bash
set -euo pipefail
#!/bin/bash
# Shell script for running the AI pipeline automation.
set -euo pipefail
🧰 Tools
🪛 Shellcheck (0.11.0)

[error] 1-3: This is interpreted as a command name containing a linefeed. Double check syntax.

(SC2289)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ai_pipeline.sh` around lines 1 - 6, The top-of-file docstring in
ai_pipeline.sh is invalid bash and also pushes the shebang off the first line.
Remove the triple-quoted block and replace it with standard shell comments using
#, then ensure the shebang in the script entrypoint remains the very first line
so bash can execute it correctly.

Comment on lines +5 to +6

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Shebang must be on line 1.

With the triple-quoted block preceding it, the shebang #!/bin/bash is no longer on the first line. The kernel only interprets shebang when it is the first two bytes of the file. When executed directly (e.g., ./ai_pipeline.sh), the shell will not receive the shebang hint and may fall back to the user's current shell, breaking set -euo pipefail semantics on non-bash shells.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@ai_pipeline.sh` around lines 5 - 6, The script entrypoint is broken because
the shebang in ai_pipeline.sh is no longer the first line, so it won’t be
honored when the file is executed directly. Move the shebang back to the very
top of the file, before any other content, and keep the set -euo pipefail setup
immediately after it so the bash-specific behavior is preserved.

# ai_pipeline.sh - AI Training Pipeline Orchestrator
# ==================================================
#
Expand Down
4 changes: 4 additions & 0 deletions backend/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
"""
Backend package for the TentOfTrials trading and risk platform.
Implements core server logic, data models, and API endpoints in Rust.
"""
Loading