- Hash passwords with SHA-256 on frontend before transmission to prevent
raw password exposure in network traffic and server logs
- Switch login endpoint from OAuth2 form-data to JSON body
- Auto-create admin user on startup from ADMIN_USERNAME/ADMIN_PASSWORD
env vars, solving login failure after registration was disabled
- Update auth tests to match new SHA-256 + JSON login flow
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove nginx from docker-compose.prod.yml (NPM handles reverse proxy)
- Add Next.js rewrites to proxy /api/* to backend (backend fully hidden)
- Bind frontend to 127.0.0.1:3000 only (NPM proxies externally)
- Replace hardcoded localhost:8000 in history page with api client
- Make CORS origins configurable via environment variable
- Restrict CORS methods to GET/POST/PUT/DELETE
- Add Gitea Actions deploy workflow with secrets-based env management
- Add security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- Add BACKEND_URL build arg to frontend Dockerfile for standalone builds
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- APScheduler for daily snapshots (18:30 weekdays)
- ReturnsCalculator with CAGR, TWR, MDD, volatility
- Portfolio history page with snapshots and returns tabs
- FastAPI lifespan integration for scheduler
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- POST /api/backtest (create and start)
- GET /api/backtest (list)
- GET /api/backtest/{id} (detail)
- GET /api/backtest/{id}/equity-curve
- GET /api/backtest/{id}/holdings
- GET /api/backtest/{id}/transactions
- DELETE /api/backtest/{id}
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- GET /api/market/stocks/{ticker}
- GET /api/market/stocks/{ticker}/prices
- GET /api/market/search
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- POST /api/strategy/multi-factor
- POST /api/strategy/quality
- POST /api/strategy/value-momentum
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
