From 9c44eb6e3127c6d5fc7833473790ee7b7079a22b Mon Sep 17 00:00:00 2001 From: Marius Mutu Date: Tue, 21 Apr 2026 09:37:24 +0300 Subject: [PATCH] =?UTF-8?q?feat:=20mut=C4=83=20secretele=20Discord/Telegra?= =?UTF-8?q?m=20din=20TOML=20=C3=AEn=20.env?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit TOML-urile din configs/ rămân 100% calibrare — safe to commit. Secretele (ATM_DISCORD_URL, ATM_TG_TOKEN, ATM_TG_CHAT) trăiesc în .env la rădăcină (ignored), cu loader stdlib (shell wins peste file). Validare fail-fast pentru env lipsă, placeholder REPLACE_ME, chat_id non-numeric. Include .env.example + secţiune README §Secrets. Tests: 19 noi (env loader + missing-env + placeholder + chat_id + regression post-migrate snapshot). Co-Authored-By: Claude Opus 4.7 (1M context) --- .env.example | 9 +++ .gitignore | 5 +- CLAUDE.md | 3 +- README.md | 36 ++++++++- TODOS.md | 7 ++ configs/2026-04-18-1220.toml | 100 +++++++++++++++++++++++++ configs/2026-04-21-recalib.toml | 98 ++++++++++++++++++++++++ configs/current.txt | 1 + configs/example.toml | 8 +- src/atm/calibrate.py | 14 +--- src/atm/config.py | 111 +++++++++++++++++++++++++-- tests/test_calibrate.py | 19 ++++- tests/test_config.py | 128 +++++++++++++++++++++++++++++++- tests/test_env_loader.py | 104 ++++++++++++++++++++++++++ 14 files changed, 610 insertions(+), 33 deletions(-) create mode 100644 .env.example create mode 100644 configs/2026-04-18-1220.toml create mode 100644 configs/2026-04-21-recalib.toml create mode 100644 configs/current.txt create mode 100644 tests/test_env_loader.py diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..e036a04 --- /dev/null +++ b/.env.example @@ -0,0 +1,9 @@ +# Copiază acest fișier în .env (la rădăcina proiectului) și pune valorile reale. +# .env e în .gitignore — secretele NU ajung pe git. +# +# Variabilele de shell au prioritate peste .env. Dacă ai făcut `export ATM_TG_TOKEN=...` +# cândva în .bashrc / profil, aceasta suprascrie .env — verifică cu `printenv | grep ATM_`. + +ATM_DISCORD_URL=https://discord.com/api/webhooks/REPLACE_ME +ATM_TG_TOKEN=REPLACE_ME +ATM_TG_CHAT=REPLACE_ME diff --git a/.gitignore b/.gitignore index 76a6b93..1b8aaec 100644 --- a/.gitignore +++ b/.gitignore @@ -54,10 +54,7 @@ samples/*.jpg samples/labels.json trades.jsonl -# configs: keep template only; ignore generated calibration and runtime state -configs/*.toml -!configs/example.toml -configs/current.txt +# configs: now committable (secrets live in .env — see .env.example) # Claude scheduler state .claude/ diff --git a/CLAUDE.md b/CLAUDE.md index d85b758..22dad0e 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -7,13 +7,14 @@ Personal Faza-1 tool for the M2D strategy. Python 3.11+. ```bash pip install -e ".[windows]" # Windows: live capture pip install -e ".[dev]" # Linux/macOS: dev + tests (WSL: create venv first) +cp .env.example .env # secretele Discord/Telegram (vezi README §Secrets) atm calibrate # Tk wizard atm debug --delay 5 # one-shot capture + detect atm validate-calibration calibration/calibration_labels.json # offline color gate atm run --start-at 16:30 --stop-at 23:00 # live session atm run --tz America/New_York --oh-start 09:30 --oh-stop 16:00 # NYSE window override atm dryrun samples # corpus gate -pytest -q # 192 tests (184 core + 8 scenarii regresie) +pytest -q # 210+ tests (core + 8 scenarii regresie + env loader) pytest tests/test_scenarios_regression.py -v # FSM pe imagini reale ``` diff --git a/README.md b/README.md index d4614d5..8600224 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,40 @@ pip install -e ".[dev]" --- +## Secrets + +Credențialele Discord/Telegram NU se țin în TOML — trăiesc în `.env` la rădăcina proiectului: + +```bash +cp .env.example .env +# apoi editezi .env cu valorile reale +``` + +Variabile necesare: + +| Variabilă | Ce e | +|---|---| +| `ATM_DISCORD_URL` | Webhook URL-ul Discord (canalul unde vin alertele) | +| `ATM_TG_TOKEN` | Token-ul bot-ului Telegram (de la `@BotFather`) | +| `ATM_TG_CHAT` | Chat ID (group-ul sau user-ul; prefix `-` pentru group) | + +`.env` e în `.gitignore` — secretele nu ajung pe git. `configs/*.toml` **pot** fi comise pe git (calibrare pură, safe to version). + +La pornire, dacă `.env` e găsit, loader-ul printează pe stderr: + +``` +[atm.config] .env: loaded 3 vars (0 overridden by shell) +``` + +**⚠️ Shell env wins peste `.env`.** Dacă ai făcut `export ATM_TG_TOKEN=...` cândva în `.bashrc` / profil, aceasta override-uiește `.env` — verifică cu `printenv | grep ATM_`. Mesajul `(N overridden by shell)` te avertizează când se întâmplă. + +Config-ul se refuză să pornească dacă: +- lipsește oricare din cele 3 variabile (mesaj cu numele variabilei + hint către `.env.example`); +- `ATM_DISCORD_URL` sau `ATM_TG_TOKEN` conține `REPLACE_ME` (ai copiat `.env.example` dar n-ai editat); +- `ATM_TG_CHAT` nu-i numeric (opțional cu `-` la început pentru group). + +--- + ## Dev ```bash @@ -126,7 +160,7 @@ Flow: - Chart: colț stânga-sus + colț dreapta-jos (pentru detecția de linii în Faza-B) - Două prețuri cunoscute pe axa Y (pixel y → introduci prețul) - Canary: colț stânga-sus + colț dreapta-jos pe un element UI **stabil** (etichetă axă, bară titlu) -6. **Save** → scrie `configs/YYYY-MM-DD-HHMM.toml` + marcaj `configs/current.txt`. Preia credențialele Discord/Telegram din env (`ATM_DISCORD_URL`, `ATM_TG_TOKEN`, `ATM_TG_CHAT`) dacă sunt setate; altfel pune `REPLACE_ME` — editezi TOML-ul manual. +6. **Save** → scrie `configs/YYYY-MM-DD-HHMM.toml` + marcaj `configs/current.txt`. TOML-ul conține doar calibrare — secretele Discord/Telegram se țin în `.env` la rădăcina proiectului (vezi secțiunea **Secrets** de mai jos). ### ⚠️ Reguli critice la calibrare (evită incidentul 2026-04-17) diff --git a/TODOS.md b/TODOS.md index a142cf0..64c4e82 100644 --- a/TODOS.md +++ b/TODOS.md @@ -69,3 +69,10 @@ Price overlay (from Telegram commands feature) uses `y_axis` linear interpolatio - [ ] **Typing strictness**: run `pyright src/` with strict mode, fix reported issues. - [ ] **Perf baseline**: profile one detection cycle on a representative frame; ensure < 100ms so 5s loop has ample headroom. - [ ] **Exchange calendar holidays**: operating_hours doesn't know about NYSE closures (MLK, Thanksgiving, Good Friday). User `/pause`s manually for now. + +## P3-secret-scan-hook + +Pre-commit hook (`gitleaks` sau `detect-secrets`) care scanează diff-urile pentru pattern-uri de secrete înainte de commit. Centură de siguranţă acum că `configs/*.toml` se comit — risc crescut de leak prin copy-paste viitor (ex: cineva pune un token de test direct în TOML pentru un quick hack şi uită). + +- Start după ce avem 2+ contributors sau după primul incident "aproape am comis un secret". +- Tool de ales: `gitleaks` (binary, fără Python dep) > `detect-secrets` (Python, config mai complex). diff --git a/configs/2026-04-18-1220.toml b/configs/2026-04-18-1220.toml new file mode 100644 index 0000000..b9b2ee8 --- /dev/null +++ b/configs/2026-04-18-1220.toml @@ -0,0 +1,100 @@ +window_title = "m2d" + +[dot_roi] +x = 0 +y = 712 +w = 1796 +h = 35 + +[chart_roi] +x = 17 +y = 125 +w = 1767 +h = 567 + +[colors] + +[colors.turquoise] +rgb = [0, 153, 153] +tolerance = 60.0 + +[colors.yellow] +rgb = [153, 153, 0] +tolerance = 60.0 + +[colors.dark_green] +rgb = [0, 122, 0] +tolerance = 60.0 + +[colors.dark_red] +rgb = [128, 0, 0] +tolerance = 60.0 + +[colors.light_green] +rgb = [0, 171, 0] +tolerance = 60.0 + +[colors.light_red] +rgb = [171, 0, 0] +tolerance = 60.0 + +[colors.gray] +rgb = [128, 128, 128] +tolerance = 60.0 + +[colors.background] +rgb = [0, 0, 0] +tolerance = 25.0 + +[y_axis] +p1_y = 166 +p1_price = 485.2 +p2_y = 664 +p2_price = 483.2 + +[canary] +baseline_phash = "fbe145390c1abec23204017757a326b8e37077288ef79947310a89c70e07ffff" +drift_threshold = 8 + +[canary.roi] +x = 26 +y = 27 +w = 197 +h = 15 + +[chart_window_region] +x = 3 +y = 0 +w = 1918 +h = 1029 + +# Secretele Discord/Telegram se setează în .env la rădăcina proiectului — vezi .env.example. + +[options] +debounce_depth = 1 +loop_interval_s = 5.0 +heartbeat_min = 30 +lockout_s = 240 +low_conf_threshold = 0.2 +low_conf_run = 3 +phaseb_timeout_s = 600 +dead_letter_path = "logs/dead_letter.jsonl" + +[options.alerts] +fire_on_phase_skip = true + +[options.operating_hours] +enabled = true +timezone = "America/New_York" +weekdays = ["MON", "TUE", "WED", "THU", "FRI"] +start_hhmm = "09:30" +stop_hhmm = "16:00" + +# Per-kind screenshot-attach toggles. All default to true on upgrade. +# Accepts either a bare bool (legacy: attach_screenshots = true) or this table. +[options.attach_screenshots] +late_start = true # screenshot on startup-late alerts +catchup = true # screenshot on mid-session catchup arm + prime +arm = true # screenshot on normal arm (turquoise/yellow) — noisiest +prime = true # screenshot on normal prime (dark_green/dark_red) +trigger = true # screenshot on FIRE diff --git a/configs/2026-04-21-recalib.toml b/configs/2026-04-21-recalib.toml new file mode 100644 index 0000000..dcd2b01 --- /dev/null +++ b/configs/2026-04-21-recalib.toml @@ -0,0 +1,98 @@ +window_title = "m2d" + +[dot_roi] +x = 0 +y = 712 +w = 1796 +h = 35 + +[chart_roi] +x = 17 +y = 125 +w = 1767 +h = 567 + +[colors] + +[colors.turquoise] +rgb = [0, 253, 253] +tolerance = 60.0 + +[colors.yellow] +rgb = [253, 253, 0] +tolerance = 60.0 + +[colors.dark_green] +rgb = [0, 122, 0] +tolerance = 60.0 + +[colors.dark_red] +rgb = [128, 0, 0] +tolerance = 60.0 + +[colors.light_green] +rgb = [0, 255, 0] +tolerance = 60.0 + +[colors.light_red] +rgb = [255, 0, 0] +tolerance = 60.0 + +[colors.gray] +rgb = [128, 128, 128] +tolerance = 60.0 + +[colors.background] +rgb = [0, 0, 0] +tolerance = 25.0 + +[y_axis] +p1_y = 166 +p1_price = 485.2 +p2_y = 664 +p2_price = 483.2 + +[canary] +baseline_phash = "fbe145390c1abec23204017757a326b8e37077288ef79947310a89c70e07ffff" +drift_threshold = 8 + +[canary.roi] +x = 26 +y = 27 +w = 197 +h = 15 + +[chart_window_region] +x = 3 +y = 0 +w = 1918 +h = 1029 + +# Secretele Discord/Telegram se setează în .env la rădăcina proiectului — vezi .env.example. + +[options] +debounce_depth = 1 +loop_interval_s = 5.0 +heartbeat_min = 30 +lockout_s = 240 +low_conf_threshold = 0.2 +low_conf_run = 3 +phaseb_timeout_s = 600 +dead_letter_path = "logs/dead_letter.jsonl" + +[options.alerts] +fire_on_phase_skip = true + +[options.operating_hours] +enabled = true +timezone = "America/New_York" +weekdays = ["MON", "TUE", "WED", "THU", "FRI"] +start_hhmm = "09:30" +stop_hhmm = "16:00" + +[options.attach_screenshots] +late_start = true +catchup = true +arm = true +prime = true +trigger = true diff --git a/configs/current.txt b/configs/current.txt new file mode 100644 index 0000000..3b4a7ba --- /dev/null +++ b/configs/current.txt @@ -0,0 +1 @@ +2026-04-21-recalib.toml diff --git a/configs/example.toml b/configs/example.toml index 1602547..2aeef8a 100644 --- a/configs/example.toml +++ b/configs/example.toml @@ -64,12 +64,8 @@ y = 100 w = 100 h = 50 -[discord] -webhook_url = "https://discord.com/api/webhooks/REPLACE_ME" - -[telegram] -bot_token = "REPLACE_ME" -chat_id = "REPLACE_ME" +# Secretele (Discord webhook + Telegram bot/chat) se setează în `.env` la rădăcina +# proiectului — vezi `.env.example`. TOML-ul rămâne 100% public, doar calibrare. [options] debounce_depth = 1 diff --git a/src/atm/calibrate.py b/src/atm/calibrate.py index e2ff423..6caf1b0 100644 --- a/src/atm/calibrate.py +++ b/src/atm/calibrate.py @@ -1,7 +1,6 @@ """Calibration wizard for chart window — Tk-based, safe to import headlessly.""" from __future__ import annotations -import os import time from datetime import datetime, timezone from pathlib import Path @@ -447,18 +446,9 @@ def run_calibration( data = wizard.run() # ------------------------------------------------------------------ - # 3. Inject notifier creds (env → placeholders otherwise) + # 3. Secrets live in .env at the project root — see .env.example. + # TOML stays 100% public (calibration only). # ------------------------------------------------------------------ - data["discord"] = { - "webhook_url": os.environ.get( - "ATM_DISCORD_URL", - "https://discord.com/api/webhooks/REPLACE_ME", - ), - } - data["telegram"] = { - "bot_token": os.environ.get("ATM_TG_TOKEN", "REPLACE_ME"), - "chat_id": os.environ.get("ATM_TG_CHAT", "0"), - } data.setdefault("options", {}) if chart_region is not None: diff --git a/src/atm/config.py b/src/atm/config.py index 6639304..a5a74e6 100644 --- a/src/atm/config.py +++ b/src/atm/config.py @@ -1,6 +1,8 @@ """Config dataclass with load-time validation. Fail fast.""" from __future__ import annotations +import os +import sys import tomllib from dataclasses import dataclass, field from pathlib import Path @@ -9,6 +11,89 @@ from zoneinfo import ZoneInfo, ZoneInfoNotFoundError _VALID_WEEKDAYS: tuple[str, ...] = ("MON", "TUE", "WED", "THU", "FRI", "SAT", "SUN") +_SECRET_ENV_VARS: tuple[str, ...] = ("ATM_DISCORD_URL", "ATM_TG_TOKEN", "ATM_TG_CHAT") + +_env_log_emitted: bool = False + + +def _find_env_file(start: Path | None = None) -> Path | None: + """Walk up from `start` (default cwd) to find `.env` or a project-root sentinel. + + Stops at `.env` if found, otherwise at the first dir containing `pyproject.toml` + (and returns the `.env` under it iff it exists). Returns None when nothing hits. + """ + cur = (start or Path.cwd()).resolve() + for parent in (cur, *cur.parents): + env = parent / ".env" + if env.is_file(): + return env + if (parent / "pyproject.toml").is_file(): + return None + return None + + +def _load_env_file(path: Path | None) -> tuple[int, int]: + """Parse a simple KEY=value .env file into os.environ. Shell env wins. + + Returns (loaded, overridden_by_shell). No-op if path is None/missing. + Raises ValueError on malformed lines (missing `=`, not a blank/comment). + """ + if path is None or not path.is_file(): + return (0, 0) + loaded = 0 + overridden = 0 + text = path.read_text(encoding="utf-8") + for lineno, raw in enumerate(text.splitlines(), start=1): + line = raw.strip() + if not line or line.startswith("#"): + continue + if "=" not in line: + raise ValueError( + f"{path}:{lineno}: malformed (expected KEY=value)" + ) + key, _, value = line.partition("=") + key = key.strip() + value = value.strip() + if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'): + value = value[1:-1] + if key in os.environ: + overridden += 1 + continue + os.environ[key] = value + loaded += 1 + return (loaded, overridden) + + +def _ensure_env_loaded() -> None: + """Load .env into os.environ if found; shell values always win. + + Called on every Config.load/load_current because monkeypatched tests may + erase env vars between runs. The shell-wins rule keeps this idempotent: + a second call is a no-op for any key already set. The startup log line + is emitted only the first time. + """ + global _env_log_emitted + path = _find_env_file() + if path is None: + return + loaded, overridden = _load_env_file(path) + if not _env_log_emitted and (loaded or overridden): + _env_log_emitted = True + print( + f"[atm.config] .env: loaded {loaded} vars ({overridden} overridden by shell)", + file=sys.stderr, + ) + + +def _require_env(name: str) -> str: + val = os.environ.get(name) + if not val: + raise ValueError( + f"{name} not set — copy .env.example to .env at project root " + f"and fill in the value (or export {name} in your shell)" + ) + return val + DotColor = Literal[ "turquoise", "yellow", "dark_green", "dark_red", @@ -75,6 +160,10 @@ class DiscordCfg: def __post_init__(self) -> None: if not self.webhook_url.startswith("http"): raise ValueError("discord webhook_url required") + if "REPLACE_ME" in self.webhook_url: + raise ValueError( + "discord webhook_url is still the placeholder — edit .env" + ) @dataclass(frozen=True) @@ -88,6 +177,15 @@ class TelegramCfg: def __post_init__(self) -> None: if not self.bot_token or not self.chat_id: raise ValueError("telegram bot_token + chat_id required") + if self.bot_token == "REPLACE_ME" or "REPLACE_ME" in self.bot_token: + raise ValueError( + "telegram bot_token is still the placeholder — edit .env" + ) + cid = self.chat_id.lstrip("-") + if not cid.isdigit(): + raise ValueError( + f"telegram chat_id must be numeric (optionally with leading '-'), got {self.chat_id!r}" + ) @dataclass(frozen=True) @@ -174,6 +272,7 @@ class Config: @classmethod def load(cls, path: str | Path) -> "Config": + _ensure_env_loaded() p = Path(path) data = tomllib.loads(p.read_text(encoding="utf-8")) return cls._from_dict(data, version=p.stem) @@ -181,6 +280,7 @@ class Config: @classmethod def load_current(cls, configs_dir: str | Path) -> "Config": """Resolve configs/current.txt → active config file.""" + _ensure_env_loaded() d = Path(configs_dir) marker = d / "current.txt" if not marker.exists(): @@ -200,12 +300,13 @@ class Config: baseline_phash=data["canary"]["baseline_phash"], drift_threshold=int(data["canary"].get("drift_threshold", 8)), ) - discord = DiscordCfg(webhook_url=data["discord"]["webhook_url"]) - tg = data["telegram"] - _allowed = [str(c) for c in tg.get("allowed_chat_ids", [])] or [str(tg["chat_id"])] + discord = DiscordCfg(webhook_url=_require_env("ATM_DISCORD_URL")) + tg = data.get("telegram", {}) or {} + tg_chat = _require_env("ATM_TG_CHAT") + _allowed = [str(c) for c in tg.get("allowed_chat_ids", [])] or [tg_chat] telegram = TelegramCfg( - bot_token=tg["bot_token"], - chat_id=str(tg["chat_id"]), + bot_token=_require_env("ATM_TG_TOKEN"), + chat_id=tg_chat, allowed_chat_ids=tuple(_allowed), poll_timeout_s=int(tg.get("poll_timeout_s", 30)), auto_poll_interval_s=int(tg.get("auto_poll_interval_s", 180)), diff --git a/tests/test_calibrate.py b/tests/test_calibrate.py index 2861066..09a645f 100644 --- a/tests/test_calibrate.py +++ b/tests/test_calibrate.py @@ -6,6 +6,13 @@ from pathlib import Path import pytest +@pytest.fixture(autouse=True) +def _secrets_env(monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.setenv("ATM_DISCORD_URL", "https://example.com/hook") + monkeypatch.setenv("ATM_TG_TOKEN", "123:abc") + monkeypatch.setenv("ATM_TG_CHAT", "456") + + def _minimal_config_data() -> dict: return { "window_title": "Test Chart", @@ -26,8 +33,6 @@ def _minimal_config_data() -> dict: "baseline_phash": "abc123", "drift_threshold": 8, }, - "discord": {"webhook_url": "http://example.com/hook"}, - "telegram": {"bot_token": "123:abc", "chat_id": "456"}, } @@ -55,6 +60,16 @@ def test_write_config_and_marker(tmp_path: Path) -> None: assert cfg2.window_title == cfg.window_title +def test_write_config_omits_secrets(tmp_path: Path) -> None: + """Calibration output must NOT contain Discord/Telegram secret fields.""" + from atm.calibrate import write_config + + config_path = write_config(_minimal_config_data(), tmp_path) + text = config_path.read_text(encoding="utf-8") + for marker in ("[discord]", "[telegram]", "webhook_url", "bot_token", "chat_id"): + assert marker not in text, f"calibrated TOML leaked secret marker: {marker}" + + def test_import_safe() -> None: """Importing atm.calibrate must succeed in a headless environment (no tkinter at top-level).""" import importlib # noqa: F401 diff --git a/tests/test_config.py b/tests/test_config.py index 6825ced..7e2256f 100644 --- a/tests/test_config.py +++ b/tests/test_config.py @@ -1,6 +1,8 @@ """Tests for atm.config — focused on attach_screenshots parsing (legacy bool vs new dict).""" from __future__ import annotations +import pytest + from atm.config import AlertsCfg, Config @@ -23,11 +25,17 @@ _BASE = { "baseline_phash": "0" * 16, "drift_threshold": 8, }, - "discord": {"webhook_url": "https://example.com/hook"}, - "telegram": {"bot_token": "tok", "chat_id": "123"}, } +@pytest.fixture(autouse=True) +def _secrets_env(monkeypatch: pytest.MonkeyPatch) -> None: + """Provide valid Discord/Telegram env vars for every test in this module.""" + monkeypatch.setenv("ATM_DISCORD_URL", "https://example.com/hook") + monkeypatch.setenv("ATM_TG_TOKEN", "123:tok") + monkeypatch.setenv("ATM_TG_CHAT", "123") + + def _with_opts(opts: dict) -> dict: d = {k: v for k, v in _BASE.items()} d["options"] = opts @@ -153,3 +161,119 @@ def test_operating_hours_invalid_weekday_raises_valueerror() -> None: Config._from_dict(_with_opts({ "operating_hours": {"enabled": True, "weekdays": ["XYZ"]}, })) + + +# --------------------------------------------------------------------------- +# Secrets migration: Discord + Telegram creds live in env vars, not TOML +# --------------------------------------------------------------------------- + +def test_missing_discord_url_raises(monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.delenv("ATM_DISCORD_URL", raising=False) + with pytest.raises(ValueError, match="ATM_DISCORD_URL"): + Config._from_dict(_with_opts({})) + + +def test_missing_tg_token_raises(monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.delenv("ATM_TG_TOKEN", raising=False) + with pytest.raises(ValueError, match="ATM_TG_TOKEN"): + Config._from_dict(_with_opts({})) + + +def test_missing_tg_chat_raises(monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.delenv("ATM_TG_CHAT", raising=False) + with pytest.raises(ValueError, match="ATM_TG_CHAT"): + Config._from_dict(_with_opts({})) + + +def test_placeholder_webhook_rejected(monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.setenv("ATM_DISCORD_URL", "https://discord.com/api/webhooks/REPLACE_ME") + with pytest.raises(ValueError, match="placeholder"): + Config._from_dict(_with_opts({})) + + +def test_placeholder_token_rejected(monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.setenv("ATM_TG_TOKEN", "REPLACE_ME") + with pytest.raises(ValueError, match="placeholder"): + Config._from_dict(_with_opts({})) + + +def test_chat_id_non_numeric_rejected(monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.setenv("ATM_TG_CHAT", "abc123") + with pytest.raises(ValueError, match="chat_id"): + Config._from_dict(_with_opts({})) + + +def test_chat_id_negative_groups_accepted(monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.setenv("ATM_TG_CHAT", "-5108062256") + cfg = Config._from_dict(_with_opts({})) + assert cfg.telegram.chat_id == "-5108062256" + + +def test_telegram_section_optional() -> None: + """TOML without [telegram] still loads; secrets come from env; options use defaults.""" + data = {k: v for k, v in _BASE.items()} + cfg = Config._from_dict(data) + assert cfg.telegram.bot_token == "123:tok" + assert cfg.telegram.chat_id == "123" + assert cfg.telegram.poll_timeout_s == 30 + assert cfg.telegram.auto_poll_interval_s == 180 + assert cfg.telegram.allowed_chat_ids == ("123",) + + +def test_telegram_non_secret_keys_from_toml() -> None: + data = {k: v for k, v in _BASE.items()} + data["telegram"] = { + "poll_timeout_s": 42, + "auto_poll_interval_s": 999, + "allowed_chat_ids": ["123", "456"], + } + cfg = Config._from_dict(data) + assert cfg.telegram.poll_timeout_s == 42 + assert cfg.telegram.auto_poll_interval_s == 999 + assert cfg.telegram.allowed_chat_ids == ("123", "456") + + +def test_regression_post_migration_load( + tmp_path, monkeypatch: pytest.MonkeyPatch +) -> None: + """Loading a real post-migrate TOML (no [discord]/[telegram] secrets) works. + + IRON RULE: prevents re-regression of the secret-in-TOML pattern. + """ + fixture = tmp_path / "post_migration_sample.toml" + fixture.write_text( + 'window_title = "X"\n' + "\n" + "[dot_roi]\nx=0\ny=0\nw=10\nh=10\n" + "[chart_roi]\nx=0\ny=0\nw=100\nh=100\n" + "[colors.turquoise]\nrgb=[0,253,253]\ntolerance=60.0\n" + "[colors.yellow]\nrgb=[253,253,0]\ntolerance=60.0\n" + "[colors.dark_green]\nrgb=[0,122,0]\ntolerance=60.0\n" + "[colors.dark_red]\nrgb=[128,0,0]\ntolerance=60.0\n" + "[colors.light_green]\nrgb=[0,255,0]\ntolerance=60.0\n" + "[colors.light_red]\nrgb=[255,0,0]\ntolerance=60.0\n" + "[colors.gray]\nrgb=[128,128,128]\ntolerance=60.0\n" + "[colors.background]\nrgb=[0,0,0]\ntolerance=25.0\n" + "[y_axis]\np1_y=100\np1_price=485.0\np2_y=200\np2_price=484.0\n" + "[canary]\nbaseline_phash=\"abc\"\ndrift_threshold=8\n" + "[canary.roi]\nx=0\ny=0\nw=10\nh=10\n" + "[telegram]\npoll_timeout_s=30\nauto_poll_interval_s=180\n" + "[options]\ndebounce_depth=1\nloop_interval_s=5.0\n", + encoding="utf-8", + ) + monkeypatch.setenv("ATM_DISCORD_URL", "https://disc.example/x") + monkeypatch.setenv("ATM_TG_TOKEN", "999:tok") + monkeypatch.setenv("ATM_TG_CHAT", "-42") + cfg = Config.load(fixture) + # Secrets sourced from env + assert cfg.discord.webhook_url == "https://disc.example/x" + assert cfg.telegram.bot_token == "999:tok" + assert cfg.telegram.chat_id == "-42" + # Non-secret telegram keys sourced from TOML + assert cfg.telegram.poll_timeout_s == 30 + # Calibration values sourced from TOML + assert cfg.colors["turquoise"].rgb == (0, 253, 253) + # TOML does not contain any of the secret markers + text = fixture.read_text(encoding="utf-8") + for marker in ("webhook_url", "bot_token", "chat_id"): + assert marker not in text, f"TOML still contains secret marker: {marker}" diff --git a/tests/test_env_loader.py b/tests/test_env_loader.py new file mode 100644 index 0000000..1c1d83c --- /dev/null +++ b/tests/test_env_loader.py @@ -0,0 +1,104 @@ +"""Tests for the minimal .env loader (stdlib, no python-dotenv).""" +from __future__ import annotations + +from pathlib import Path + +import pytest + +from atm.config import _find_env_file, _load_env_file + + +def test_no_file_returns_none(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.chdir(tmp_path) + assert _find_env_file() is None + + +def test_finds_env_in_root(tmp_path: Path) -> None: + (tmp_path / "pyproject.toml").write_text("", encoding="utf-8") + (tmp_path / ".env").write_text("X=1\n", encoding="utf-8") + sub = tmp_path / "sub" / "deeper" + sub.mkdir(parents=True) + found = _find_env_file(sub) + assert found == (tmp_path / ".env").resolve() + + +def test_pyproject_sentinel_stops_walk(tmp_path: Path) -> None: + (tmp_path / "pyproject.toml").write_text("", encoding="utf-8") + sub = tmp_path / "sub" + sub.mkdir() + assert _find_env_file(sub) is None + + +def test_parses_simple_kv( + tmp_path: Path, monkeypatch: pytest.MonkeyPatch +) -> None: + for k in ("A", "B", "C"): + monkeypatch.delenv(k, raising=False) + env = tmp_path / ".env" + env.write_text( + "# comment\n" + "\n" + "A=1\n" + "B=hello world\n" + " # indented comment\n" + "C=with=equals=in=value\n", + encoding="utf-8", + ) + loaded, overridden = _load_env_file(env) + assert loaded == 3 + assert overridden == 0 + import os + assert os.environ["A"] == "1" + assert os.environ["B"] == "hello world" + assert os.environ["C"] == "with=equals=in=value" + + +def test_parses_quoted_values( + tmp_path: Path, monkeypatch: pytest.MonkeyPatch +) -> None: + for k in ("SQ", "DQ"): + monkeypatch.delenv(k, raising=False) + env = tmp_path / ".env" + env.write_text("SQ='abc'\nDQ=\"def\"\n", encoding="utf-8") + _load_env_file(env) + import os + assert os.environ["SQ"] == "abc" + assert os.environ["DQ"] == "def" + + +def test_handles_crlf_and_whitespace( + tmp_path: Path, monkeypatch: pytest.MonkeyPatch +) -> None: + for k in ("K1", "K2"): + monkeypatch.delenv(k, raising=False) + env = tmp_path / ".env" + env.write_bytes(b"K1=v1\r\n K2 = v2 \r\n") + _load_env_file(env) + import os + assert os.environ["K1"] == "v1" + assert os.environ["K2"] == "v2" + + +def test_shell_env_wins(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None: + monkeypatch.setenv("SHELLWINS", "from_shell") + env = tmp_path / ".env" + env.write_text("SHELLWINS=from_file\nOTHER=x\n", encoding="utf-8") + monkeypatch.delenv("OTHER", raising=False) + loaded, overridden = _load_env_file(env) + import os + assert os.environ["SHELLWINS"] == "from_shell" + assert os.environ["OTHER"] == "x" + assert loaded == 1 + assert overridden == 1 + + +def test_malformed_line_raises_with_lineno(tmp_path: Path) -> None: + env = tmp_path / ".env" + env.write_text("A=1\nOOPSNOEQUALS\n", encoding="utf-8") + with pytest.raises(ValueError, match=":2:"): + _load_env_file(env) + + +def test_missing_path_is_noop() -> None: + assert _load_env_file(None) == (0, 0) + assert _load_env_file(Path("/nonexistent/does-not-exist-xyz")) == (0, 0)