Conversation
The container was running as root, giving any process inside full host privileges if the container escaped. Creates a dedicated appuser, transfers /app ownership, and switches to that user before the entrypoint. The entrypoint writes /app/crontab at runtime, which still works because appuser owns /app. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
>= constraints allow pip to silently pull a newer version on each image rebuild, making two builds weeks apart potentially non-identical. Pinning to the current stable releases (requests 2.32.3, PyYAML 6.0.2) ensures every build produces the same environment. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Review findings: - --disabled-password creates a login-capable user; --system is the correct flag for a service account (no shell, no aging, UID<1000) - VOLUME declaration moved after chown so layer order reflects intent - Added comments documenting the /app/crontab write requirement and the mapping.yaml world-readable caveat for bind-mounts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Review noted that == pinning doesn't cover transitive deps and there's no audit trail. Added comment explaining the limitation and the date the pins were last verified CVE-clean. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Monthly cadence to avoid noise. Covers: - pip: requirements.txt (requests, PyYAML) + their transitive deps - github-actions: docker/*, actions/checkout pinned to major versions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The original VOLUME before entrypoint.sh was left in when the second one was added after chown. Docker ignores duplicates but it was confusing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…-filter' into staging
- cleanup_duplicates.py: resolves duplicate activities created when
switching IBKR Flex Query from a short period to Last 365 Calendar Days.
Patches manual entries with their IBKR#{tradeID} comment (so future syncs
recognise them) and deletes the duplicate IBKR#-synced copies.
Dry-run by default; writes a full safety log before any mutation;
verifies API endpoints with a read-only probe before touching anything.
- README.md: adds a critical warning on the Flex Query period setting,
explains the two classes of silent failure (skipped sells, duplicate
re-imports), and points to cleanup_duplicates.py as the recovery path.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0125mJBtEmStCj8rFFkrtGxb
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughAdds ChangesDuplicate Activity Cleanup Script
Docker Publish Workflow and CI Docs Updates
Sequence DiagramsequenceDiagram
participant User as User (CLI)
participant Script as cleanup_duplicates.py
participant GF as Ghostfolio API
User->>Script: python cleanup_duplicates.py [--apply]
Script->>GF: GET /api/v1/activities (verify + fetch all)
GF-->>Script: full activities list
Script->>GF: GET /api/v1/activities/{id} (single probe)
GF-->>Script: single activity (verify OK)
Script->>Script: partition into IBKR# entries and manual entries
Script->>Script: match by symbol/type/qty/price + DATE_TOLERANCE
Script-->>User: dry-run report (if no --apply)
rect rgba(255, 140, 0, 0.5)
Note over Script,GF: --apply mode only
Script->>Script: write JSON safety snapshot
Script->>GF: GET /api/v1/activities/{manual_id} (re-fetch for PUT payload)
GF-->>Script: current manual activity
Script->>GF: PUT /api/v1/activities/{manual_id} (patch comment to IBKR#{trade_id})
GF-->>Script: 200 OK
Script->>GF: DELETE /api/v1/activities/{ibkr_id}
GF-->>Script: 200 OK
end
Script-->>User: summary (patched/deleted/errors), exit 1 on errors
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary
cleanup_duplicates.py— outil de nettoyage des doublons créés lors du passage de la Flex Query IBKR d'une période courte à Last 365 Calendar Days. Patche les entrées manuelles avec leurIBKR#{tradeID}et supprime les copies dupliquées. Dry-run par défaut, log de sécurité avant toute mutation, probe read-only de l'endpoint avant d'agir.README.md— avertissement critique sur le paramètre période de la Flex Query, description des deux classes d'échec silencieux (ventes skippées, réimports dupliqués), et pointeur verscleanup_duplicates.pycomme chemin de recovery.Contexte
Bug découvert en prod : Flex Query configurée sur "Last Month" au lieu de "Last 365 Calendar Days". Conséquences : ventes récentes absentes du XML IBKR, et à la correction du paramètre, 90 activités réimportées en doublon avec les entrées manuelles existantes. Le script de cleanup a résolu les 26 doublons trades identifiés (correspondance symbol+type+qty+prix+date ±2j).
Test plan
New trade activities: 0, duplicates skipped: 104🤖 Generated with Claude Code
https://claude.ai/code/session_0125mJBtEmStCj8rFFkrtGxb
Summary by CodeRabbit
New Features
Documentation