Skip to content

fix(paper): 策略候选 + 回测历史按账户隔离,堵跨租户泄露#132

Merged
mirror29 merged 5 commits into
mainfrom
fix/cross-tenant-data-leaks
Jul 3, 2026
Merged

fix(paper): 策略候选 + 回测历史按账户隔离,堵跨租户泄露#132
mirror29 merged 5 commits into
mainfrom
fix/cross-tenant-data-leaks

Conversation

@mirror29

@mirror29 mirror29 commented Jul 2, 2026

Copy link
Copy Markdown
Owner

跨租户数据泄露修复

含两个不相关变更,凑在同个分支因中途加了 GLM workflow 忘记拆分支

1. fix(paper): 策略候选 + 回测按账户隔离

  • 关闭跨租户数据泄露
  • paper 端点 account_id 透传(backtest / strategy_candidates / CV / sensitivity)

2. feat(ci): GLM-5.2 PR review + @glm 互动

  • 新增 glm-review.yml / glm.yml,替代原有 Claude Code review
  • API 走 yuanyuaicloud.cn/v1,模型 glm-5.2
  • 非阻塞设计,sticky comment 防邮件洪水
  • 前置条件:GitHub Secret ZHIPUAI_API_KEY 已配置

🤖 Generated with [Claude Code](https://claude.com/claude-code

mirror29 and others added 2 commits July 2, 2026 21:12
上线验证:test2 登录后看到其他用户的策略候选与回测历史。修复:1) backtest_runs 表加 account_id 列(0025) + list_recent/list_by_research/list_by_strategy 全链路过滤 + insert_run 写时带 account_id + runner 透传 2) strategy_candidates/list_candidates 加 owner_account_id 过滤,endpoint 从 _user 改为 user 并传 account_id_from_user(user)。886 测试全过。

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 2, 2026

Copy link
Copy Markdown

Deploying inalpha-web with  Cloudflare Pages  Cloudflare Pages

Latest commit: 675f06c
Status: ✅  Deploy successful!
Preview URL: https://ebada2a7.inalpha-web.pages.dev
Branch Preview URL: https://fix-cross-tenant-data-leaks.inalpha-web.pages.dev

View logs

mirror29 and others added 3 commits July 3, 2026 09:51
post_backtest_cv 与 post_backtest_sensitivity 不会写 backtest_runs,但 endpoint 签名已统一成 user+account_id 透传 runner/sensitivity,避免将来落表时忘了传。

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
新增两个 workflow 替代原有 Claude Code review 方案:
- glm-review.yml:PR opened/synchronize 自动审查 diff,sticky comment 汇总
- glm.yml:PR/issue 中 @glm 触发对话互动

Authorization: Bearer 通过 GitHub Secret ZHIPUAI_API_KEY 注入。
非阻塞设计(continue-on-error),不影响 PR 合并。

Co-Authored-By: Claude <noreply@anthropic.com>
list_by_research/list_by_strategy/list_recent 之前用 f-string 拼接 where 变量,改用三元 clause + f-string 后 clause 只有三种可控取值,杜绝 SQL 注入可能。

Co-Authored-By: Claude <noreply@anthropic.com>
@mirror29 mirror29 merged commit 7739d23 into main Jul 3, 2026
10 checks passed
@mirror29 mirror29 deleted the fix/cross-tenant-data-leaks branch July 3, 2026 03:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant