romfast/atm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: mută secretele Discord/Telegram din TOML în .env

Browse Source 
TOML-urile din configs/ rămân 100% calibrare — safe to commit. Secretele
(ATM_DISCORD_URL, ATM_TG_TOKEN, ATM_TG_CHAT) trăiesc în .env la rădăcină
(ignored), cu loader stdlib (shell wins peste file). Validare fail-fast
pentru env lipsă, placeholder REPLACE_ME, chat_id non-numeric.

Include .env.example + secţiune README §Secrets. Tests: 19 noi (env loader +
missing-env + placeholder + chat_id + regression post-migrate snapshot).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Marius Mutu
2026-04-21 09:37:24 +03:00
parent 9e8cbafbd4
commit 9c44eb6e31
14 changed files with 610 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.env.example Normal file
View File

@@ -0,0 +1,9 @@
# Copiază acest fișier în .env (la rădăcina proiectului) și pune valorile reale.
# .env e în .gitignore — secretele NU ajung pe git.
#
# Variabilele de shell au prioritate peste .env. Dacă ai făcut `export ATM_TG_TOKEN=...`
# cândva în .bashrc / profil, aceasta suprascrie .env — verifică cu `printenv | grep ATM_`.
ATM_DISCORD_URL=https://discord.com/api/webhooks/REPLACE_ME
ATM_TG_TOKEN=REPLACE_ME
ATM_TG_CHAT=REPLACE_ME

5
.gitignore vendored
View File

@@ -54,10 +54,7 @@ samples/*.jpg
samples/labels.json samples/labels.json
trades.jsonl trades.jsonl
# configs: keep template only; ignore generated calibration and runtime state # configs: now committable (secrets live in .env — see .env.example)
configs/*.toml
!configs/example.toml
configs/current.txt
# Claude scheduler state # Claude scheduler state
.claude/ .claude/

3
CLAUDE.md
View File

@@ -7,13 +7,14 @@ Personal Faza-1 tool for the M2D strategy. Python 3.11+.
```bash ```bash
pip install -e ".[windows]" # Windows: live capture pip install -e ".[windows]" # Windows: live capture
pip install -e ".[dev]" # Linux/macOS: dev + tests (WSL: create venv first) pip install -e ".[dev]" # Linux/macOS: dev + tests (WSL: create venv first)
cp .env.example .env # secretele Discord/Telegram (vezi README §Secrets)
atm calibrate # Tk wizard atm calibrate # Tk wizard
atm debug --delay 5 # one-shot capture + detect atm debug --delay 5 # one-shot capture + detect
atm validate-calibration calibration/calibration_labels.json # offline color gate atm validate-calibration calibration/calibration_labels.json # offline color gate
atm run --start-at 16:30 --stop-at 23:00 # live session atm run --start-at 16:30 --stop-at 23:00 # live session
atm run --tz America/New_York --oh-start 09:30 --oh-stop 16:00 # NYSE window override atm run --tz America/New_York --oh-start 09:30 --oh-stop 16:00 # NYSE window override
atm dryrun samples # corpus gate atm dryrun samples # corpus gate
pytest -q # 192 tests (184 core + 8 scenarii regresie) pytest -q # 210+ tests (core + 8 scenarii regresie + env loader)
pytest tests/test_scenarios_regression.py -v # FSM pe imagini reale pytest tests/test_scenarios_regression.py -v # FSM pe imagini reale
``` ```

36
README.md
View File

@@ -79,6 +79,40 @@ pip install -e ".[dev]"
--- ---
## Secrets
Credențialele Discord/Telegram NU se țin în TOML — trăiesc în `.env` la rădăcina proiectului:
```bash
cp .env.example .env
# apoi editezi .env cu valorile reale
```
Variabile necesare:
| Variabilă | Ce e |
|---|---|
| `ATM_DISCORD_URL` | Webhook URL-ul Discord (canalul unde vin alertele) |
| `ATM_TG_TOKEN` | Token-ul bot-ului Telegram (de la `@BotFather`) |
| `ATM_TG_CHAT` | Chat ID (group-ul sau user-ul; prefix `-` pentru group) |
`.env` e în `.gitignore` — secretele nu ajung pe git. `configs/*.toml` **pot** fi comise pe git (calibrare pură, safe to version).
La pornire, dacă `.env` e găsit, loader-ul printează pe stderr:
```
[atm.config] .env: loaded 3 vars (0 overridden by shell)
```
**⚠️ Shell env wins peste `.env`.** Dacă ai făcut `export ATM_TG_TOKEN=...` cândva în `.bashrc` / profil, aceasta override-uiește `.env` — verifică cu `printenv | grep ATM_`. Mesajul `(N overridden by shell)` te avertizează când se întâmplă.
Config-ul se refuză să pornească dacă:
- lipsește oricare din cele 3 variabile (mesaj cu numele variabilei + hint către `.env.example`);
- `ATM_DISCORD_URL` sau `ATM_TG_TOKEN` conține `REPLACE_ME` (ai copiat `.env.example` dar n-ai editat);
- `ATM_TG_CHAT` nu-i numeric (opțional cu `-` la început pentru group).
---
## Dev ## Dev
```bash ```bash
@@ -126,7 +160,7 @@ Flow:
- Chart: colț stânga-sus + colț dreapta-jos (pentru detecția de linii în Faza-B) - Chart: colț stânga-sus + colț dreapta-jos (pentru detecția de linii în Faza-B)
- Două prețuri cunoscute pe axa Y (pixel y → introduci prețul) - Două prețuri cunoscute pe axa Y (pixel y → introduci prețul)
- Canary: colț stânga-sus + colț dreapta-jos pe un element UI **stabil** (etichetă axă, bară titlu) - Canary: colț stânga-sus + colț dreapta-jos pe un element UI **stabil** (etichetă axă, bară titlu)
6. **Save** → scrie `configs/YYYY-MM-DD-HHMM.toml` + marcaj `configs/current.txt`. Preia credențialele Discord/Telegram din env (`ATM_DISCORD_URL`, `ATM_TG_TOKEN`, `ATM_TG_CHAT`) dacă sunt setate; altfel pune `REPLACE_ME` — editezi TOML-ul manual. 6. **Save** → scrie `configs/YYYY-MM-DD-HHMM.toml` + marcaj `configs/current.txt`. TOML-ul conține doar calibrare — secretele Discord/Telegram se țin în `.env` la rădăcina proiectului (vezi secțiunea **Secrets** de mai jos).
### ⚠️ Reguli critice la calibrare (evită incidentul 2026-04-17) ### ⚠️ Reguli critice la calibrare (evită incidentul 2026-04-17)

7
TODOS.md
View File

@@ -69,3 +69,10 @@ Price overlay (from Telegram commands feature) uses `y_axis` linear interpolatio
- [ ] **Typing strictness**: run `pyright src/` with strict mode, fix reported issues. - [ ] **Typing strictness**: run `pyright src/` with strict mode, fix reported issues.
- [ ] **Perf baseline**: profile one detection cycle on a representative frame; ensure < 100ms so 5s loop has ample headroom. - [ ] **Perf baseline**: profile one detection cycle on a representative frame; ensure < 100ms so 5s loop has ample headroom.
- [ ] **Exchange calendar holidays**: operating_hours doesn't know about NYSE closures (MLK, Thanksgiving, Good Friday). User `/pause`s manually for now. - [ ] **Exchange calendar holidays**: operating_hours doesn't know about NYSE closures (MLK, Thanksgiving, Good Friday). User `/pause`s manually for now.
## P3-secret-scan-hook
Pre-commit hook (`gitleaks` sau `detect-secrets`) care scanează diff-urile pentru pattern-uri de secrete înainte de commit. Centură de siguranţă acum `configs/*.toml` se comit risc crescut de leak prin copy-paste viitor (ex: cineva pune un token de test direct în TOML pentru un quick hack şi uită).
- Start după ce avem 2+ contributors sau după primul incident "aproape am comis un secret".
- Tool de ales: `gitleaks` (binary, fără Python dep) > `detect-secrets` (Python, config mai complex).

100
configs/2026-04-18-1220.toml Normal file
View File

@@ -0,0 +1,100 @@
window_title = "m2d"
[dot_roi]
x = 0
y = 712
w = 1796
h = 35
[chart_roi]
x = 17
y = 125
w = 1767
h = 567
[colors]
[colors.turquoise]
rgb = [0, 153, 153]
tolerance = 60.0
[colors.yellow]
rgb = [153, 153, 0]
tolerance = 60.0
[colors.dark_green]
rgb = [0, 122, 0]
tolerance = 60.0
[colors.dark_red]
rgb = [128, 0, 0]
tolerance = 60.0
[colors.light_green]
rgb = [0, 171, 0]
tolerance = 60.0
[colors.light_red]
rgb = [171, 0, 0]
tolerance = 60.0
[colors.gray]
rgb = [128, 128, 128]
tolerance = 60.0
[colors.background]
rgb = [0, 0, 0]
tolerance = 25.0
[y_axis]
p1_y = 166
p1_price = 485.2
p2_y = 664
p2_price = 483.2
[canary]
baseline_phash = "fbe145390c1abec23204017757a326b8e37077288ef79947310a89c70e07ffff"
drift_threshold = 8
[canary.roi]
x = 26
y = 27
w = 197
h = 15
[chart_window_region]
x = 3
y = 0
w = 1918
h = 1029
# Secretele Discord/Telegram se setează în .env la rădăcina proiectului — vezi .env.example.
[options]
debounce_depth = 1
loop_interval_s = 5.0
heartbeat_min = 30
lockout_s = 240
low_conf_threshold = 0.2
low_conf_run = 3
phaseb_timeout_s = 600
dead_letter_path = "logs/dead_letter.jsonl"
[options.alerts]
fire_on_phase_skip = true
[options.operating_hours]
enabled = true
timezone = "America/New_York"
weekdays = ["MON", "TUE", "WED", "THU", "FRI"]
start_hhmm = "09:30"
stop_hhmm = "16:00"
# Per-kind screenshot-attach toggles. All default to true on upgrade.
# Accepts either a bare bool (legacy: attach_screenshots = true) or this table.
[options.attach_screenshots]
late_start = true # screenshot on startup-late alerts
catchup = true # screenshot on mid-session catchup arm + prime
arm = true # screenshot on normal arm (turquoise/yellow) — noisiest
prime = true # screenshot on normal prime (dark_green/dark_red)
trigger = true # screenshot on FIRE

98
configs/2026-04-21-recalib.toml Normal file
View File

@@ -0,0 +1,98 @@
window_title = "m2d"
[dot_roi]
x = 0
y = 712
w = 1796
h = 35
[chart_roi]
x = 17
y = 125
w = 1767
h = 567
[colors]
[colors.turquoise]
rgb = [0, 253, 253]
tolerance = 60.0
[colors.yellow]
rgb = [253, 253, 0]
tolerance = 60.0
[colors.dark_green]
rgb = [0, 122, 0]
tolerance = 60.0
[colors.dark_red]
rgb = [128, 0, 0]
tolerance = 60.0
[colors.light_green]
rgb = [0, 255, 0]
tolerance = 60.0
[colors.light_red]
rgb = [255, 0, 0]
tolerance = 60.0
[colors.gray]
rgb = [128, 128, 128]
tolerance = 60.0
[colors.background]
rgb = [0, 0, 0]
tolerance = 25.0
[y_axis]
p1_y = 166
p1_price = 485.2
p2_y = 664
p2_price = 483.2
[canary]
baseline_phash = "fbe145390c1abec23204017757a326b8e37077288ef79947310a89c70e07ffff"
drift_threshold = 8
[canary.roi]
x = 26
y = 27
w = 197
h = 15
[chart_window_region]
x = 3
y = 0
w = 1918
h = 1029
# Secretele Discord/Telegram se setează în .env la rădăcina proiectului — vezi .env.example.
[options]
debounce_depth = 1
loop_interval_s = 5.0
heartbeat_min = 30
lockout_s = 240
low_conf_threshold = 0.2
low_conf_run = 3
phaseb_timeout_s = 600
dead_letter_path = "logs/dead_letter.jsonl"
[options.alerts]
fire_on_phase_skip = true
[options.operating_hours]
enabled = true
timezone = "America/New_York"
weekdays = ["MON", "TUE", "WED", "THU", "FRI"]
start_hhmm = "09:30"
stop_hhmm = "16:00"
[options.attach_screenshots]
late_start = true
catchup = true
arm = true
prime = true
trigger = true

1
configs/current.txt Normal file
View File

@@ -0,0 +1 @@
2026-04-21-recalib.toml

8
configs/example.toml
View File

@@ -64,12 +64,8 @@ y = 100
w = 100 w = 100
h = 50 h = 50
[discord] # Secretele (Discord webhook + Telegram bot/chat) se setează în `.env` la rădăcina
webhook_url = "https://discord.com/api/webhooks/REPLACE_ME" # proiectului — vezi `.env.example`. TOML-ul rămâne 100% public, doar calibrare.
[telegram]
bot_token = "REPLACE_ME"
chat_id = "REPLACE_ME"
[options] [options]
debounce_depth = 1 debounce_depth = 1

14
src/atm/calibrate.py
View File

@@ -1,7 +1,6 @@
"""Calibration wizard for chart window — Tk-based, safe to import headlessly.""" """Calibration wizard for chart window — Tk-based, safe to import headlessly."""
from __future__ import annotations from __future__ import annotations
import os
import time import time
from datetime import datetime, timezone from datetime import datetime, timezone
from pathlib import Path from pathlib import Path
@@ -447,18 +446,9 @@ def run_calibration(
data = wizard.run() data = wizard.run()
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# 3. Inject notifier creds (env → placeholders otherwise) # 3. Secrets live in .env at the project root — see .env.example.
# TOML stays 100% public (calibration only).
# ------------------------------------------------------------------ # ------------------------------------------------------------------
data["discord"] = {
"webhook_url": os.environ.get(
"ATM_DISCORD_URL",
"https://discord.com/api/webhooks/REPLACE_ME",
),
}
data["telegram"] = {
"bot_token": os.environ.get("ATM_TG_TOKEN", "REPLACE_ME"),
"chat_id": os.environ.get("ATM_TG_CHAT", "0"),
}
data.setdefault("options", {}) data.setdefault("options", {})
if chart_region is not None: if chart_region is not None:

111
src/atm/config.py
View File

@@ -1,6 +1,8 @@
"""Config dataclass with load-time validation. Fail fast.""" """Config dataclass with load-time validation. Fail fast."""
from __future__ import annotations from __future__ import annotations
import os
import sys
import tomllib import tomllib
from dataclasses import dataclass, field from dataclasses import dataclass, field
from pathlib import Path from pathlib import Path
@@ -9,6 +11,89 @@ from zoneinfo import ZoneInfo, ZoneInfoNotFoundError
_VALID_WEEKDAYS: tuple[str, ...] = ("MON", "TUE", "WED", "THU", "FRI", "SAT", "SUN") _VALID_WEEKDAYS: tuple[str, ...] = ("MON", "TUE", "WED", "THU", "FRI", "SAT", "SUN")
_SECRET_ENV_VARS: tuple[str, ...] = ("ATM_DISCORD_URL", "ATM_TG_TOKEN", "ATM_TG_CHAT")
_env_log_emitted: bool = False
def _find_env_file(start: Path | None = None) -> Path | None:
"""Walk up from `start` (default cwd) to find `.env` or a project-root sentinel.
Stops at `.env` if found, otherwise at the first dir containing `pyproject.toml`
(and returns the `.env` under it iff it exists). Returns None when nothing hits.
"""
cur = (start or Path.cwd()).resolve()
for parent in (cur, *cur.parents):
env = parent / ".env"
if env.is_file():
return env
if (parent / "pyproject.toml").is_file():
return None
return None
def _load_env_file(path: Path | None) -> tuple[int, int]:
"""Parse a simple KEY=value .env file into os.environ. Shell env wins.
Returns (loaded, overridden_by_shell). No-op if path is None/missing.
Raises ValueError on malformed lines (missing `=`, not a blank/comment).
"""
if path is None or not path.is_file():
return (0, 0)
loaded = 0
overridden = 0
text = path.read_text(encoding="utf-8")
for lineno, raw in enumerate(text.splitlines(), start=1):
line = raw.strip()
if not line or line.startswith("#"):
continue
if "=" not in line:
raise ValueError(
f"{path}:{lineno}: malformed (expected KEY=value)"
)
key, _, value = line.partition("=")
key = key.strip()
value = value.strip()
if len(value) >= 2 and value[0] == value[-1] and value[0] in ("'", '"'):
value = value[1:-1]
if key in os.environ:
overridden += 1
continue
os.environ[key] = value
loaded += 1
return (loaded, overridden)
def _ensure_env_loaded() -> None:
"""Load .env into os.environ if found; shell values always win.
Called on every Config.load/load_current because monkeypatched tests may
erase env vars between runs. The shell-wins rule keeps this idempotent:
a second call is a no-op for any key already set. The startup log line
is emitted only the first time.
"""
global _env_log_emitted
path = _find_env_file()
if path is None:
return
loaded, overridden = _load_env_file(path)
if not _env_log_emitted and (loaded or overridden):
_env_log_emitted = True
print(
f"[atm.config] .env: loaded {loaded} vars ({overridden} overridden by shell)",
file=sys.stderr,
)
def _require_env(name: str) -> str:
val = os.environ.get(name)
if not val:
raise ValueError(
f"{name} not set — copy .env.example to .env at project root "
f"and fill in the value (or export {name} in your shell)"
)
return val
DotColor = Literal[ DotColor = Literal[
"turquoise", "yellow", "turquoise", "yellow",
"dark_green", "dark_red", "dark_green", "dark_red",
@@ -75,6 +160,10 @@ class DiscordCfg:
def __post_init__(self) -> None: def __post_init__(self) -> None:
if not self.webhook_url.startswith("http"): if not self.webhook_url.startswith("http"):
raise ValueError("discord webhook_url required") raise ValueError("discord webhook_url required")
if "REPLACE_ME" in self.webhook_url:
raise ValueError(
"discord webhook_url is still the placeholder — edit .env"
)
@dataclass(frozen=True) @dataclass(frozen=True)
@@ -88,6 +177,15 @@ class TelegramCfg:
def __post_init__(self) -> None: def __post_init__(self) -> None:
if not self.bot_token or not self.chat_id: if not self.bot_token or not self.chat_id:
raise ValueError("telegram bot_token + chat_id required") raise ValueError("telegram bot_token + chat_id required")
if self.bot_token == "REPLACE_ME" or "REPLACE_ME" in self.bot_token:
raise ValueError(
"telegram bot_token is still the placeholder — edit .env"
)
cid = self.chat_id.lstrip("-")
if not cid.isdigit():
raise ValueError(
f"telegram chat_id must be numeric (optionally with leading '-'), got {self.chat_id!r}"
)
@dataclass(frozen=True) @dataclass(frozen=True)
@@ -174,6 +272,7 @@ class Config:
@classmethod @classmethod
def load(cls, path: str | Path) -> "Config": def load(cls, path: str | Path) -> "Config":
_ensure_env_loaded()
p = Path(path) p = Path(path)
data = tomllib.loads(p.read_text(encoding="utf-8")) data = tomllib.loads(p.read_text(encoding="utf-8"))
return cls._from_dict(data, version=p.stem) return cls._from_dict(data, version=p.stem)
@@ -181,6 +280,7 @@ class Config:
@classmethod @classmethod
def load_current(cls, configs_dir: str | Path) -> "Config": def load_current(cls, configs_dir: str | Path) -> "Config":
"""Resolve configs/current.txt → active config file.""" """Resolve configs/current.txt → active config file."""
_ensure_env_loaded()
d = Path(configs_dir) d = Path(configs_dir)
marker = d / "current.txt" marker = d / "current.txt"
if not marker.exists(): if not marker.exists():
@@ -200,12 +300,13 @@ class Config:
baseline_phash=data["canary"]["baseline_phash"], baseline_phash=data["canary"]["baseline_phash"],
drift_threshold=int(data["canary"].get("drift_threshold", 8)), drift_threshold=int(data["canary"].get("drift_threshold", 8)),
) )
discord = DiscordCfg(webhook_url=data["discord"]["webhook_url"]) discord = DiscordCfg(webhook_url=_require_env("ATM_DISCORD_URL"))
tg = data["telegram"] tg = data.get("telegram", {}) or {}
_allowed = [str(c) for c in tg.get("allowed_chat_ids", [])] or [str(tg["chat_id"])] tg_chat = _require_env("ATM_TG_CHAT")
_allowed = [str(c) for c in tg.get("allowed_chat_ids", [])] or [tg_chat]
telegram = TelegramCfg( telegram = TelegramCfg(
bot_token=tg["bot_token"], bot_token=_require_env("ATM_TG_TOKEN"),
chat_id=str(tg["chat_id"]), chat_id=tg_chat,
allowed_chat_ids=tuple(_allowed), allowed_chat_ids=tuple(_allowed),
poll_timeout_s=int(tg.get("poll_timeout_s", 30)), poll_timeout_s=int(tg.get("poll_timeout_s", 30)),
auto_poll_interval_s=int(tg.get("auto_poll_interval_s", 180)), auto_poll_interval_s=int(tg.get("auto_poll_interval_s", 180)),

19
tests/test_calibrate.py
View File

@@ -6,6 +6,13 @@ from pathlib import Path
import pytest import pytest
@pytest.fixture(autouse=True)
def _secrets_env(monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.setenv("ATM_DISCORD_URL", "https://example.com/hook")
monkeypatch.setenv("ATM_TG_TOKEN", "123:abc")
monkeypatch.setenv("ATM_TG_CHAT", "456")
def _minimal_config_data() -> dict: def _minimal_config_data() -> dict:
return { return {
"window_title": "Test Chart", "window_title": "Test Chart",
@@ -26,8 +33,6 @@ def _minimal_config_data() -> dict:
"baseline_phash": "abc123", "baseline_phash": "abc123",
"drift_threshold": 8, "drift_threshold": 8,
}, },
"discord": {"webhook_url": "http://example.com/hook"},
"telegram": {"bot_token": "123:abc", "chat_id": "456"},
} }
@@ -55,6 +60,16 @@ def test_write_config_and_marker(tmp_path: Path) -> None:
assert cfg2.window_title == cfg.window_title assert cfg2.window_title == cfg.window_title
def test_write_config_omits_secrets(tmp_path: Path) -> None:
"""Calibration output must NOT contain Discord/Telegram secret fields."""
from atm.calibrate import write_config
config_path = write_config(_minimal_config_data(), tmp_path)
text = config_path.read_text(encoding="utf-8")
for marker in ("[discord]", "[telegram]", "webhook_url", "bot_token", "chat_id"):
assert marker not in text, f"calibrated TOML leaked secret marker: {marker}"
def test_import_safe() -> None: def test_import_safe() -> None:
"""Importing atm.calibrate must succeed in a headless environment (no tkinter at top-level).""" """Importing atm.calibrate must succeed in a headless environment (no tkinter at top-level)."""
import importlib # noqa: F401 import importlib # noqa: F401

128
tests/test_config.py
View File

@@ -1,6 +1,8 @@
"""Tests for atm.config — focused on attach_screenshots parsing (legacy bool vs new dict).""" """Tests for atm.config — focused on attach_screenshots parsing (legacy bool vs new dict)."""
from __future__ import annotations from __future__ import annotations
import pytest
from atm.config import AlertsCfg, Config from atm.config import AlertsCfg, Config
@@ -23,11 +25,17 @@ _BASE = {
"baseline_phash": "0" * 16, "baseline_phash": "0" * 16,
"drift_threshold": 8, "drift_threshold": 8,
}, },
"discord": {"webhook_url": "https://example.com/hook"},
"telegram": {"bot_token": "tok", "chat_id": "123"},
} }
@pytest.fixture(autouse=True)
def _secrets_env(monkeypatch: pytest.MonkeyPatch) -> None:
"""Provide valid Discord/Telegram env vars for every test in this module."""
monkeypatch.setenv("ATM_DISCORD_URL", "https://example.com/hook")
monkeypatch.setenv("ATM_TG_TOKEN", "123:tok")
monkeypatch.setenv("ATM_TG_CHAT", "123")
def _with_opts(opts: dict) -> dict: def _with_opts(opts: dict) -> dict:
d = {k: v for k, v in _BASE.items()} d = {k: v for k, v in _BASE.items()}
d["options"] = opts d["options"] = opts
@@ -153,3 +161,119 @@ def test_operating_hours_invalid_weekday_raises_valueerror() -> None:
Config._from_dict(_with_opts({ Config._from_dict(_with_opts({
"operating_hours": {"enabled": True, "weekdays": ["XYZ"]}, "operating_hours": {"enabled": True, "weekdays": ["XYZ"]},
})) }))
# ---------------------------------------------------------------------------
# Secrets migration: Discord + Telegram creds live in env vars, not TOML
# ---------------------------------------------------------------------------
def test_missing_discord_url_raises(monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.delenv("ATM_DISCORD_URL", raising=False)
with pytest.raises(ValueError, match="ATM_DISCORD_URL"):
Config._from_dict(_with_opts({}))
def test_missing_tg_token_raises(monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.delenv("ATM_TG_TOKEN", raising=False)
with pytest.raises(ValueError, match="ATM_TG_TOKEN"):
Config._from_dict(_with_opts({}))
def test_missing_tg_chat_raises(monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.delenv("ATM_TG_CHAT", raising=False)
with pytest.raises(ValueError, match="ATM_TG_CHAT"):
Config._from_dict(_with_opts({}))
def test_placeholder_webhook_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.setenv("ATM_DISCORD_URL", "https://discord.com/api/webhooks/REPLACE_ME")
with pytest.raises(ValueError, match="placeholder"):
Config._from_dict(_with_opts({}))
def test_placeholder_token_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.setenv("ATM_TG_TOKEN", "REPLACE_ME")
with pytest.raises(ValueError, match="placeholder"):
Config._from_dict(_with_opts({}))
def test_chat_id_non_numeric_rejected(monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.setenv("ATM_TG_CHAT", "abc123")
with pytest.raises(ValueError, match="chat_id"):
Config._from_dict(_with_opts({}))
def test_chat_id_negative_groups_accepted(monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.setenv("ATM_TG_CHAT", "-5108062256")
cfg = Config._from_dict(_with_opts({}))
assert cfg.telegram.chat_id == "-5108062256"
def test_telegram_section_optional() -> None:
"""TOML without [telegram] still loads; secrets come from env; options use defaults."""
data = {k: v for k, v in _BASE.items()}
cfg = Config._from_dict(data)
assert cfg.telegram.bot_token == "123:tok"
assert cfg.telegram.chat_id == "123"
assert cfg.telegram.poll_timeout_s == 30
assert cfg.telegram.auto_poll_interval_s == 180
assert cfg.telegram.allowed_chat_ids == ("123",)
def test_telegram_non_secret_keys_from_toml() -> None:
data = {k: v for k, v in _BASE.items()}
data["telegram"] = {
"poll_timeout_s": 42,
"auto_poll_interval_s": 999,
"allowed_chat_ids": ["123", "456"],
}
cfg = Config._from_dict(data)
assert cfg.telegram.poll_timeout_s == 42
assert cfg.telegram.auto_poll_interval_s == 999
assert cfg.telegram.allowed_chat_ids == ("123", "456")
def test_regression_post_migration_load(
tmp_path, monkeypatch: pytest.MonkeyPatch
) -> None:
"""Loading a real post-migrate TOML (no [discord]/[telegram] secrets) works.
IRON RULE: prevents re-regression of the secret-in-TOML pattern.
"""
fixture = tmp_path / "post_migration_sample.toml"
fixture.write_text(
'window_title = "X"\n'
"\n"
"[dot_roi]\nx=0\ny=0\nw=10\nh=10\n"
"[chart_roi]\nx=0\ny=0\nw=100\nh=100\n"
"[colors.turquoise]\nrgb=[0,253,253]\ntolerance=60.0\n"
"[colors.yellow]\nrgb=[253,253,0]\ntolerance=60.0\n"
"[colors.dark_green]\nrgb=[0,122,0]\ntolerance=60.0\n"
"[colors.dark_red]\nrgb=[128,0,0]\ntolerance=60.0\n"
"[colors.light_green]\nrgb=[0,255,0]\ntolerance=60.0\n"
"[colors.light_red]\nrgb=[255,0,0]\ntolerance=60.0\n"
"[colors.gray]\nrgb=[128,128,128]\ntolerance=60.0\n"
"[colors.background]\nrgb=[0,0,0]\ntolerance=25.0\n"
"[y_axis]\np1_y=100\np1_price=485.0\np2_y=200\np2_price=484.0\n"
"[canary]\nbaseline_phash=\"abc\"\ndrift_threshold=8\n"
"[canary.roi]\nx=0\ny=0\nw=10\nh=10\n"
"[telegram]\npoll_timeout_s=30\nauto_poll_interval_s=180\n"
"[options]\ndebounce_depth=1\nloop_interval_s=5.0\n",
encoding="utf-8",
)
monkeypatch.setenv("ATM_DISCORD_URL", "https://disc.example/x")
monkeypatch.setenv("ATM_TG_TOKEN", "999:tok")
monkeypatch.setenv("ATM_TG_CHAT", "-42")
cfg = Config.load(fixture)
# Secrets sourced from env
assert cfg.discord.webhook_url == "https://disc.example/x"
assert cfg.telegram.bot_token == "999:tok"
assert cfg.telegram.chat_id == "-42"
# Non-secret telegram keys sourced from TOML
assert cfg.telegram.poll_timeout_s == 30
# Calibration values sourced from TOML
assert cfg.colors["turquoise"].rgb == (0, 253, 253)
# TOML does not contain any of the secret markers
text = fixture.read_text(encoding="utf-8")
for marker in ("webhook_url", "bot_token", "chat_id"):
assert marker not in text, f"TOML still contains secret marker: {marker}"

104
tests/test_env_loader.py Normal file
View File

@@ -0,0 +1,104 @@
"""Tests for the minimal .env loader (stdlib, no python-dotenv)."""
from __future__ import annotations
from pathlib import Path
import pytest
from atm.config import _find_env_file, _load_env_file
def test_no_file_returns_none(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.chdir(tmp_path)
assert _find_env_file() is None
def test_finds_env_in_root(tmp_path: Path) -> None:
(tmp_path / "pyproject.toml").write_text("", encoding="utf-8")
(tmp_path / ".env").write_text("X=1\n", encoding="utf-8")
sub = tmp_path / "sub" / "deeper"
sub.mkdir(parents=True)
found = _find_env_file(sub)
assert found == (tmp_path / ".env").resolve()
def test_pyproject_sentinel_stops_walk(tmp_path: Path) -> None:
(tmp_path / "pyproject.toml").write_text("", encoding="utf-8")
sub = tmp_path / "sub"
sub.mkdir()
assert _find_env_file(sub) is None
def test_parses_simple_kv(
tmp_path: Path, monkeypatch: pytest.MonkeyPatch
) -> None:
for k in ("A", "B", "C"):
monkeypatch.delenv(k, raising=False)
env = tmp_path / ".env"
env.write_text(
"# comment\n"
"\n"
"A=1\n"
"B=hello world\n"
" # indented comment\n"
"C=with=equals=in=value\n",
encoding="utf-8",
)
loaded, overridden = _load_env_file(env)
assert loaded == 3
assert overridden == 0
import os
assert os.environ["A"] == "1"
assert os.environ["B"] == "hello world"
assert os.environ["C"] == "with=equals=in=value"
def test_parses_quoted_values(
tmp_path: Path, monkeypatch: pytest.MonkeyPatch
) -> None:
for k in ("SQ", "DQ"):
monkeypatch.delenv(k, raising=False)
env = tmp_path / ".env"
env.write_text("SQ='abc'\nDQ=\"def\"\n", encoding="utf-8")
_load_env_file(env)
import os
assert os.environ["SQ"] == "abc"
assert os.environ["DQ"] == "def"
def test_handles_crlf_and_whitespace(
tmp_path: Path, monkeypatch: pytest.MonkeyPatch
) -> None:
for k in ("K1", "K2"):
monkeypatch.delenv(k, raising=False)
env = tmp_path / ".env"
env.write_bytes(b"K1=v1\r\n K2 = v2 \r\n")
_load_env_file(env)
import os
assert os.environ["K1"] == "v1"
assert os.environ["K2"] == "v2"
def test_shell_env_wins(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
monkeypatch.setenv("SHELLWINS", "from_shell")
env = tmp_path / ".env"
env.write_text("SHELLWINS=from_file\nOTHER=x\n", encoding="utf-8")
monkeypatch.delenv("OTHER", raising=False)
loaded, overridden = _load_env_file(env)
import os
assert os.environ["SHELLWINS"] == "from_shell"
assert os.environ["OTHER"] == "x"
assert loaded == 1
assert overridden == 1
def test_malformed_line_raises_with_lineno(tmp_path: Path) -> None:
env = tmp_path / ".env"
env.write_text("A=1\nOOPSNOEQUALS\n", encoding="utf-8")
with pytest.raises(ValueError, match=":2:"):
_load_env_file(env)
def test_missing_path_is_noop() -> None:
assert _load_env_file(None) == (0, 0)
assert _load_env_file(Path("/nonexistent/does-not-exist-xyz")) == (0, 0)