deeptrade-quant 0.7.0__tar.gz → 0.8.1__tar.gz

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/CHANGELOG.md

@@ -2,6 +2,62 @@
 
 All notable changes to DeepTrade. Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and SemVer.
 
+## [v0.8.1] — 2026-05-16 — Moonshot reasoning 模型 temperature 兼容性
+
+`limit-up-board` 等插件接入 Kimi K2.6（``base_url = https://api.moonshot.cn/v1``）后，**所有** LLM 调用 100% 命中 ``HTTP 400 invalid temperature: only 1 is allowed for this model``。根因：Kimi K2 系列的 thinking / reasoning 变体（与 OpenAI o1/o3、Anthropic Sonnet thinking 同侧设计）在服务端硬约束 ``temperature``——仅接受模型专属的固定值，而插件 ``StageProfile`` 出于复现性给的是 ``0.0 ~ 0.2``。
+
+修复职责完全在框架：插件不应感知具体 provider/model 的服务端约束，框架的契约是「插件给一个温度意图，框架在真正发出请求前 sanitize 到目标 provider/model 能接受的取值」。
+
+### Changed
+
+- ``deeptrade/core/llm_client.py::OpenAICompatTransport``：新增 ``_adjust_temperature(model, temperature) -> float`` 钩子，默认 identity；``chat()`` 在写 kwargs 前调用钩子，并在改写时打一行 ``logger.info`` 便于排查。非 Moonshot 路径完全无感。
+- 新增 ``MoonshotTransport(OpenAICompatTransport)``：``_FORCED_TEMPERATURE`` prefix 表强制 ``kimi-k2-thinking`` / ``kimi-k2.5`` / ``kimi-k2.6`` 到 ``1.0``、``kimi-for-coding`` 到 ``0.6``；fallthrough 走 ``min(temperature, 1.0)`` 兼顾非 reasoning 模型（``moonshot-v1-*`` / ``kimi-k2-instruct-*``）的 ``[0, 1]`` 上限——Pydantic 字段允许到 2.0，超界一样 400。
+- ``_TRANSPORT_BY_BASE_URL`` 新增 ``("api.moonshot.cn", MoonshotTransport)``。substring 匹配自动覆盖 ``api.moonshot.cn`` / ``api.moonshot.cn/v1`` 所有形式；国际站 ``api.moonshot.ai`` 暂未支持，若后续需要追加一行即可。
+
+### Why prefix match, not exact / regex
+
+Moonshot 命名空间 ``<major>.<minor>[-<dated-revision>]`` 的天然分界就在 prefix。exact 会让 ``kimi-k2.6-1106`` / ``kimi-k2-thinking-128k`` 这类 dated revision 漏网，触发 0day 失败；regex 转义复杂度抬高 review 成本，收益不抵。
+
+### Migration notes
+
+- 插件零改动。``limit_up_board`` / 其他第三方插件的 ``profiles.py`` 不需要感知该约束。
+- 用户原本在 Kimi reasoning 模型上设的 ``temperature=0.0`` 在改写后会被强制为 ``1.0``——这本来就是服务端唯一允许的取值，不改写就是 100% 失败。
+- ``app.profile`` / ``llm.providers`` 配置无变动。
+
+## [v0.8.0] — 2026-05-16 — 插件 install / upgrade 走 CDN，零 GitHub API 调用
+
+`deeptrade plugin install` 与 `deeptrade plugin upgrade` 此前在解析"最新版本"与下载 tarball 时各打一次 ``api.github.com``，未认证用户共享 60/h 的 IP 级配额。一旦插件用户数上来，或者用户与浏览器 / `gh` CLI / `git clone` 公共仓库共用同一公网 IP，``HTTP 403: rate limit exceeded`` 就会把 install / upgrade 直接打死。共享 token 会违反 GitHub ToS，且配额仍会在那个 token 上聚合——不是解。
+
+本版改造将插件分发热路径全部搬到 CDN 端点：
+
+- **Tarball 下载**改走 ``codeload.github.com/<owner>/<repo>/tar.gz/<ref>``。codeload 是 CDN-backed 静态端点，不计入 REST API 限流。
+- **"最新版本"**改从注册表 ``index.json`` 的新字段 ``latest_version`` 读取（``raw.githubusercontent.com`` 同样不限流，且已有 ETag 缓存）。
+- **URL 形式安装**（``deeptrade plugin install https://github.com/...``）无 ``--ref`` 时默认 ``main`` 分支；其他默认分支需显式 ``--ref``。
+
+净效果：未认证用户走 ``install`` / ``upgrade`` 全流程**零 API 调用**，60/h 限制对默认路径不再存在。``GITHUB_TOKEN`` 不再被框架读取，文档不再推荐设置。
+
+### Changed
+
+- ``deeptrade/core/github_fetch.py``：删除 ``latest_release_tag`` / ``NoMatchingReleaseError``；``fetch_tarball`` 改写为 codeload 单端点（移除 ``GITHUB_TOKEN`` / ``X-GitHub-Api-Version`` header）。
+- ``deeptrade/core/registry.py``：``RegistryEntry`` 新增可选字段 ``latest_version: str | None``；解析器引入 ``_OPTIONAL_FIELDS`` 集合，含字段时填入，缺省 ``None``。schema_version 不变（仍为 1，向后兼容旧注册表文件）。
+- ``deeptrade/core/plugin_source.py``：``_resolve_short_name`` 用 ``entry.latest_version`` 替代 ``latest_release_tag``；缺字段且无 ``--ref`` 时抛 ``SourceResolveError`` 提示需补 ``--ref``。``_resolve_url`` 无 ``--ref`` 默认 ``main``；codeload 失败时错误信息提示用户切换 ``--ref``。
+- ``deeptrade/cli_plugin.py``：移除 ``NoMatchingReleaseError`` 引用。
+
+### Removed
+
+- ``latest_release_tag`` 公共函数与 ``NoMatchingReleaseError`` 异常类。
+- 对 ``GITHUB_TOKEN`` 环境变量的读取（github_fetch.py 中）。
+
+### Migration notes
+
+- **注册表维护者**：在 ``DeepTradePluginOfficial/registry/index.json`` 每个 plugin entry 中加 ``latest_version`` 字段，每次插件发版后同步该字段。可由 plugin 仓库 release workflow 自动 PR 到注册表仓库。
+- **存量旧版框架用户**：旧版（v0.7 及以下）仍会调 ``api.github.com``。``latest_version`` 字段是可选的、旧框架读取时会被忽略，不破坏现有用户；旧用户升级到本版后限流问题自动消失。
+- **URL 形式高级用户**：若你 host 的仓库默认分支不是 ``main``，``deeptrade plugin install https://github.com/<your>/<repo>`` 需显式 ``--ref <branch>``。
+
+### Why not "use a shared token"
+
+GitHub ToS 明确禁止 token 跨用户共享（被发现 token 会被吊销）；即便允许，5000/h 也会被规模化使用快速吃掉，且 token 泄露需要维护者承担权限滥用风险。CDN 改造是唯一既不需要每用户认证、又能稳定服务的方案。未来若需要支持私有仓库或企业内部分发，再走 OAuth Device Flow（``gh auth login`` 同款流程）让每个用户认证自己的 token。
+
 ## [v0.7.0] — 2026-05-15 — 依赖隔离稳健化 + timezone IANA 校验
 
 本版按 2026-05-15 评审研判文档 §5 v0.7 路线落地 2 项主线，至此 v0.5 § 5 全部"采纳项"清零：

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: deeptrade-quant
-Version: 0.7.0
+Version: 0.8.1
 Summary: LLM-driven A-share (Shanghai/Shenzhen main board) stock screening CLI
 Project-URL: Homepage, https://github.com/ty19880929/deeptrade
 Project-URL: Repository, https://github.com/ty19880929/deeptrade

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/deeptrade/__init__.py

@@ -2,5 +2,5 @@
 
 from __future__ import annotations
 
-__version__ = "0.7.0"
+__version__ = "0.8.1"
 __all__ = ["__version__"]

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/deeptrade/cli_plugin.py

@@ -12,7 +12,6 @@ from deeptrade.core import paths
 from deeptrade.core.db import Database
 from deeptrade.core.github_fetch import (
     GitHubFetchError,
-    NoMatchingReleaseError,
     TarballFetchError,
 )
 from deeptrade.core.plugin_manager import (
@@ -41,7 +40,6 @@ _RESOLVE_ERRORS: tuple[type[Exception], ...] = (
     RegistryNotFoundError,
     RegistryFetchError,
     RegistrySchemaError,
-    NoMatchingReleaseError,
     TarballFetchError,
     GitHubFetchError,
     SourceResolveError,

deeptrade_quant-0.8.1/deeptrade/core/github_fetch.py

@@ -0,0 +1,122 @@
+"""GitHub tarball download helper (CDN-only).
+
+The plugin install / upgrade path downloads release tarballs from
+``codeload.github.com`` instead of ``api.github.com``. codeload is a
+CDN-backed static endpoint and does **not** count against the GitHub REST
+API rate limit (60/h for anonymous IPs), so plugin install works for
+every user out of the box — no ``GITHUB_TOKEN`` required.
+
+"Latest version" used to be resolved via ``GET /repos/<repo>/releases``,
+but that costs an API request per install. It now comes from the
+``latest_version`` field in the registry index, which is served from
+``raw.githubusercontent.com`` (also CDN, also un-metered). See
+``deeptrade.core.plugin_source`` for the wiring.
+
+See ``CHANGELOG.md`` for the distribution / install design context.
+"""
+
+from __future__ import annotations
+
+import logging
+import shutil
+import tarfile
+import tempfile
+from pathlib import Path
+from urllib.error import HTTPError, URLError
+from urllib.request import Request, urlopen
+
+logger = logging.getLogger(__name__)
+
+CODELOAD_BASE = "https://codeload.github.com"
+
+
+class GitHubFetchError(Exception):
+    """Generic GitHub fetch error."""
+
+
+class TarballFetchError(GitHubFetchError):
+    """Tarball download or extraction failure."""
+
+
+def _user_agent() -> str:
+    from deeptrade import __version__
+
+    return f"deeptrade-cli/{__version__}"
+
+
+def _build_request(url: str) -> Request:
+    return Request(url, headers={"User-Agent": _user_agent()})
+
+
+def fetch_tarball(repo: str, ref: str, dest_dir: Path, *, timeout: float = 60.0) -> Path:
+    """Download ``repo`` at ``ref`` from codeload.github.com and extract.
+
+    ``ref`` may be a tag (``v1.0.0`` or ``limit-up-board/v0.4.0``), a branch
+    name (``main``), a SHA, or a full git ref (``refs/tags/v1.0.0`` /
+    ``refs/heads/main``). codeload resolves all of these transparently.
+
+    Returns the unique top-level directory created inside ``dest_dir``
+    (codeload tarballs are wrapped in ``<owner>-<repo>-<sha7>/``).
+
+    Raises :class:`TarballFetchError` on network, HTTP, or extraction failure.
+    """
+    dest_dir.mkdir(parents=True, exist_ok=True)
+    url = f"{CODELOAD_BASE}/{repo}/tar.gz/{ref}"
+
+    tmp_path: Path | None = None
+    try:
+        with tempfile.NamedTemporaryFile(suffix=".tar.gz", delete=False) as tmp:
+            tmp_path = Path(tmp.name)
+
+        req = _build_request(url)
+        try:
+            with urlopen(req, timeout=timeout) as resp, tmp_path.open("wb") as fout:
+                shutil.copyfileobj(resp, fout)
+        except HTTPError as e:
+            raise TarballFetchError(
+                f"HTTP {e.code} downloading tarball {repo}@{ref} from codeload: {e}"
+            ) from e
+        except URLError as e:
+            raise TarballFetchError(
+                f"network error downloading tarball {repo}@{ref} from codeload: {e}"
+            ) from e
+
+        try:
+            with tarfile.open(tmp_path, mode="r:gz") as tf:
+                _safe_extract(tf, dest_dir)
+        except tarfile.TarError as e:
+            raise TarballFetchError(f"failed to extract tarball: {e}") from e
+    finally:
+        if tmp_path is not None:
+            try:
+                tmp_path.unlink()
+            except OSError:
+                pass
+
+    entries = [p for p in dest_dir.iterdir() if p.is_dir()]
+    if len(entries) != 1:
+        raise TarballFetchError(
+            f"expected one top-level dir in tarball, found {len(entries)}: "
+            f"{[p.name for p in entries]}"
+        )
+    return entries[0]
+
+
+def _safe_extract(tf: tarfile.TarFile, dest: Path) -> None:
+    """Extract ``tf`` into ``dest`` with path-traversal protection.
+
+    Uses tarfile's ``data`` filter on Python 3.12+, with an explicit
+    relative-path check on every member as a belt-and-braces guard for 3.11.
+    """
+    dest_resolved = dest.resolve()
+    for m in tf.getmembers():
+        member_path = (dest / m.name).resolve()
+        try:
+            member_path.relative_to(dest_resolved)
+        except ValueError as e:
+            raise tarfile.TarError(f"unsafe path in tarball (would escape dest): {m.name!r}") from e
+
+    try:
+        tf.extractall(dest, filter="data")
+    except TypeError:
+        tf.extractall(dest)  # noqa: S202 — paths already validated above

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/deeptrade/core/llm_client.py

@@ -162,6 +162,16 @@ class OpenAICompatTransport(LLMTransport):
         del thinking  # base class has no provider knobs
         return {}
 
+    def _adjust_temperature(self, *, model: str, temperature: float) -> float:
+        """Provider/model-specific temperature sanitization hook.
+
+        Default: identity. Subclasses override to clamp / force temperature
+        for models with server-side hard constraints (e.g. Moonshot reasoning
+        variants that only accept ``temperature == 1``).
+        """
+        del model  # base class has no per-model constraints
+        return temperature
+
     def chat(
         self,
         *,
@@ -175,6 +185,15 @@ class OpenAICompatTransport(LLMTransport):
     ) -> LLMResponse:
         from openai import APIError, APITimeoutError  # noqa: PLC0415
 
+        adjusted_temperature = self._adjust_temperature(model=model, temperature=temperature)
+        if adjusted_temperature != temperature:
+            logger.info(
+                "transport adjusted temperature for model=%s: %.3f -> %.3f",
+                model,
+                temperature,
+                adjusted_temperature,
+            )
+
         kwargs: dict[str, Any] = {
             "model": model,
             "messages": [
@@ -182,7 +201,7 @@ class OpenAICompatTransport(LLMTransport):
                 {"role": "user", "content": user},
             ],
             "response_format": {"type": "json_object"},
-            "temperature": temperature,
+            "temperature": adjusted_temperature,
             "max_tokens": max_tokens,
             "stream": False,
         }
@@ -236,6 +255,47 @@ class DashScopeTransport(OpenAICompatTransport):
         return {"enable_thinking": thinking}
 
 
+class MoonshotTransport(OpenAICompatTransport):
+    """Moonshot Kimi (``api.moonshot.cn``).
+
+    Reasoning-variant models (``kimi-k2-thinking`` / ``kimi-k2.5`` /
+    ``kimi-k2.6``) have a server-side hard constraint: ``temperature`` MUST
+    equal a model-specific fixed value (1.0 for thinking variants, 0.6 for
+    ``kimi-for-coding``). Any other value returns HTTP 400 ``invalid
+    temperature``.
+
+    Non-reasoning Moonshot models accept the full ``[0, 1]`` range; values
+    above 1 also 400. We handle both: forced equality on known reasoning
+    variants, then fall through to range clamp for everyone else.
+
+    ``_FORCED_TEMPERATURE`` uses **prefix** match so that dated revisions
+    (``kimi-k2.6-1106``, ``kimi-k2-thinking-128k``, …) inherit the same
+    constraint without a code change. Only include models with confirmed
+    server-side enforcement, not just "recommended" values.
+
+    Note: the international site (``api.moonshot.ai``) shares the same
+    constraints — add a routing-table entry there if/when the framework
+    supports it.
+    """
+
+    # model-name prefix → forced temperature value
+    _FORCED_TEMPERATURE: tuple[tuple[str, float], ...] = (
+        ("kimi-k2-thinking", 1.0),
+        ("kimi-k2.5", 1.0),
+        ("kimi-k2.6", 1.0),
+        ("kimi-for-coding", 0.6),
+    )
+
+    def _adjust_temperature(self, *, model: str, temperature: float) -> float:
+        for prefix, forced in self._FORCED_TEMPERATURE:
+            if model.startswith(prefix):
+                return forced
+        # Moonshot accepts only [0, 1] across the whole API; upper-clamp guards
+        # non-reasoning models (moonshot-v1-*, kimi-k2-instruct-*) against a
+        # StageProfile that goes above 1.0 (the Pydantic field allows up to 2).
+        return min(temperature, 1.0)
+
+
 class OpenAIOfficialTransport(OpenAICompatTransport):
     """OpenAI's own ``api.openai.com`` endpoint.
 
@@ -259,6 +319,7 @@ class OpenAIOfficialTransport(OpenAICompatTransport):
 # nowhere else; user-facing config has no "dialect" knob on purpose.
 _TRANSPORT_BY_BASE_URL: tuple[tuple[str, type[OpenAICompatTransport]], ...] = (
     ("dashscope.aliyuncs.com", DashScopeTransport),
+    ("api.moonshot.cn", MoonshotTransport),
     ("api.openai.com", OpenAIOfficialTransport),
 )
 

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/deeptrade/core/plugin_source.py

@@ -28,9 +28,7 @@ from packaging.version import InvalidVersion, Version
 
 from deeptrade.core.github_fetch import (
     GitHubFetchError,
-    NoMatchingReleaseError,
     fetch_tarball,
-    latest_release_tag,
 )
 from deeptrade.core.registry import (
     RegistryClient,
@@ -109,14 +107,20 @@ class SourceResolver:
         self._check_framework_version(entry)
 
         if ref is None:
-            try:
-                ref = latest_release_tag(entry.repo, entry.tag_prefix)
-            except (NoMatchingReleaseError, GitHubFetchError) as e:
-                raise SourceResolveError(str(e)) from e
+            if not entry.latest_version:
+                raise SourceResolveError(
+                    f"registry entry for {plugin_id!r} is missing 'latest_version' and no "
+                    f"--ref was supplied; pass --ref <tag> explicitly, or wait for the "
+                    f"registry to publish a latest_version for this plugin"
+                )
+            ref = entry.latest_version
 
         tmp = tempfile.TemporaryDirectory(prefix="deeptrade-plugin-")
         try:
-            top = fetch_tarball(entry.repo, ref, Path(tmp.name))
+            try:
+                top = fetch_tarball(entry.repo, ref, Path(tmp.name))
+            except GitHubFetchError as e:
+                raise SourceResolveError(str(e)) from e
             plugin_path = top / entry.subdir
             if not plugin_path.is_dir():
                 raise SourceResolveError(f"subdir {entry.subdir!r} not found in {entry.repo}@{ref}")
@@ -145,15 +149,22 @@ class SourceResolver:
         owner, repo_name = _parse_github_url(url)
         repo = f"{owner}/{repo_name}"
 
+        # URL form has no registry entry to consult, so we cannot know the
+        # "latest release tag" without hitting api.github.com (which the v0.8
+        # CDN refactor explicitly avoids). Default to the ``main`` branch; if
+        # the repo's default branch is something else, the codeload 404 surfaces
+        # with a hint to pass ``--ref`` explicitly.
         if ref is None:
-            try:
-                ref = latest_release_tag(repo, "")
-            except (NoMatchingReleaseError, GitHubFetchError) as e:
-                raise SourceResolveError(str(e)) from e
+            ref = "main"
 
         tmp = tempfile.TemporaryDirectory(prefix="deeptrade-plugin-")
         try:
-            top = fetch_tarball(repo, ref, Path(tmp.name))
+            try:
+                top = fetch_tarball(repo, ref, Path(tmp.name))
+            except GitHubFetchError as e:
+                raise SourceResolveError(
+                    f"{e}; if your repo's default branch is not 'main', pass --ref <branch-or-tag>"
+                ) from e
             yaml_path = top / "deeptrade_plugin.yaml"
             if not yaml_path.is_file():
                 raise SourceResolveError(

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/deeptrade/core/registry.py

@@ -28,6 +28,12 @@ REGISTRY_URL = (
 _REQUIRED_FIELDS = frozenset(
     {"name", "type", "description", "repo", "subdir", "tag_prefix", "min_framework_version"}
 )
+# Optional fields parsed when present; absence is not a schema error.
+# ``latest_version``: registry-curated "current release tag", consumed by the
+# install/upgrade resolver so it never has to hit ``api.github.com`` to find
+# the latest release. Plugin release CI should keep this field up-to-date
+# in ``DeepTradePluginOfficial/registry/index.json``.
+_OPTIONAL_FIELDS = frozenset({"latest_version"})
 
 
 class RegistryError(Exception):
@@ -56,6 +62,10 @@ class RegistryEntry:
     subdir: str
     tag_prefix: str
     min_framework_version: str
+    # CDN-only install path: when present, the resolver uses this as the
+    # tag to download from codeload instead of calling the GitHub releases
+    # API. Optional for backward compat with registries written before v0.8.
+    latest_version: str | None = None
 
 
 @dataclass(frozen=True)
@@ -93,10 +103,11 @@ def _parse_registry(data: Any) -> Registry:
         missing = _REQUIRED_FIELDS - set(raw)
         if missing:
             raise RegistrySchemaError(f"plugins.{plugin_id} missing fields: {sorted(missing)}")
-        entries[plugin_id] = RegistryEntry(
-            plugin_id=plugin_id,
-            **{k: raw[k] for k in _REQUIRED_FIELDS},
-        )
+        fields: dict[str, Any] = {k: raw[k] for k in _REQUIRED_FIELDS}
+        for k in _OPTIONAL_FIELDS:
+            if k in raw:
+                fields[k] = raw[k]
+        entries[plugin_id] = RegistryEntry(plugin_id=plugin_id, **fields)
     return Registry(schema_version=schema_version, plugins=entries)
 
 

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "deeptrade-quant"
-version = "0.7.0"
+version = "0.8.1"
 description = "LLM-driven A-share (Shanghai/Shenzhen main board) stock screening CLI"
 readme = "README.md"
 requires-python = ">=3.11"

deeptrade_quant-0.8.1/tests/core/test_github_fetch.py

@@ -0,0 +1,126 @@
+"""Unit tests for deeptrade.core.github_fetch.
+
+Network calls (``urlopen``) are patched. Tarball extraction is exercised on
+real .tar.gz produced in-memory. Since the v0.8 CDN refactor, github_fetch
+only exposes ``fetch_tarball`` (latest-tag resolution moved to the registry
+``latest_version`` field).
+"""
+
+from __future__ import annotations
+
+import io
+import tarfile
+from pathlib import Path
+from typing import Any
+from unittest.mock import patch
+from urllib.error import HTTPError
+
+import pytest
+
+from deeptrade.core.github_fetch import (
+    CODELOAD_BASE,
+    TarballFetchError,
+    fetch_tarball,
+)
+
+# ---------------------------------------------------------------------------
+# Helpers
+# ---------------------------------------------------------------------------
+
+
+class _FakeResponse:
+    def __init__(self, body: bytes, headers: dict[str, str] | None = None) -> None:
+        self._buf = io.BytesIO(body)
+        self.headers = headers or {}
+
+    def read(self, n: int = -1) -> bytes:
+        return self._buf.read() if n == -1 else self._buf.read(n)
+
+    def __enter__(self) -> _FakeResponse:
+        return self
+
+    def __exit__(self, *args: Any) -> None:
+        self._buf.close()
+
+
+def _build_tarball(top_dir: str, files: dict[str, bytes]) -> bytes:
+    """Build an in-memory .tar.gz with a single top-level directory."""
+    buf = io.BytesIO()
+    with tarfile.open(fileobj=buf, mode="w:gz") as tf:
+        info = tarfile.TarInfo(name=top_dir)
+        info.type = tarfile.DIRTYPE
+        info.mode = 0o755
+        tf.addfile(info)
+        for path, content in files.items():
+            info = tarfile.TarInfo(name=f"{top_dir}/{path}")
+            info.size = len(content)
+            info.mode = 0o644
+            tf.addfile(info, io.BytesIO(content))
+    return buf.getvalue()
+
+
+# ---------------------------------------------------------------------------
+# fetch_tarball
+# ---------------------------------------------------------------------------
+
+
+def test_fetch_tarball_extracts_and_returns_top_dir(tmp_path: Path) -> None:
+    tarball = _build_tarball(
+        "owner-repo-abc1234",
+        {"deeptrade_plugin.yaml": b"plugin_id: x\n", "data.py": b"# code\n"},
+    )
+    with patch(
+        "deeptrade.core.github_fetch.urlopen",
+        return_value=_FakeResponse(tarball),
+    ):
+        top = fetch_tarball("owner/repo", "v1.0.0", tmp_path)
+
+    assert top.is_dir()
+    assert top.name == "owner-repo-abc1234"
+    assert (top / "deeptrade_plugin.yaml").is_file()
+    assert (top / "data.py").read_text() == "# code\n"
+
+
+def test_fetch_tarball_uses_codeload_url(tmp_path: Path) -> None:
+    """Sanity-check the new endpoint: no api.github.com, codeload only."""
+    tarball = _build_tarball("owner-repo-abc1234", {"x": b""})
+    captured: dict[str, str] = {}
+
+    def fake_urlopen(req: Any, **_: Any) -> _FakeResponse:
+        captured["url"] = req.full_url
+        return _FakeResponse(tarball)
+
+    with patch("deeptrade.core.github_fetch.urlopen", side_effect=fake_urlopen):
+        fetch_tarball("owner/repo", "limit-up-board/v0.4.0", tmp_path)
+
+    assert captured["url"].startswith(CODELOAD_BASE + "/")
+    assert "api.github.com" not in captured["url"]
+    assert "owner/repo/tar.gz/limit-up-board/v0.4.0" in captured["url"]
+
+
+def test_fetch_tarball_http_error_raises(tmp_path: Path) -> None:
+    err = HTTPError("https://x", 404, "Not Found", {}, None)  # type: ignore[arg-type]
+    with patch("deeptrade.core.github_fetch.urlopen", side_effect=err):
+        with pytest.raises(TarballFetchError, match="HTTP 404"):
+            fetch_tarball("owner/repo", "v1.0.0", tmp_path)
+
+
+def test_fetch_tarball_blocks_path_traversal(tmp_path: Path) -> None:
+    """A tarball whose members escape dest_dir must be rejected."""
+    dest = tmp_path / "extract_here"
+    buf = io.BytesIO()
+    with tarfile.open(fileobj=buf, mode="w:gz") as tf:
+        info = tarfile.TarInfo(name="owner-repo-abc/")
+        info.type = tarfile.DIRTYPE
+        tf.addfile(info)
+        info = tarfile.TarInfo(name="../escaped.txt")
+        info.size = 4
+        tf.addfile(info, io.BytesIO(b"evil"))
+
+    with patch(
+        "deeptrade.core.github_fetch.urlopen",
+        return_value=_FakeResponse(buf.getvalue()),
+    ):
+        with pytest.raises(TarballFetchError, match="extract"):
+            fetch_tarball("owner/repo", "v1.0.0", dest)
+    assert not (tmp_path / "escaped.txt").exists()

{deeptrade_quant-0.7.0 → deeptrade_quant-0.8.1}/tests/core/test_llm_client.py

@@ -22,6 +22,7 @@ from deeptrade.core.llm_client import (
     LLMTransport,
     LLMTransportError,
     LLMValidationError,
+    MoonshotTransport,
     OpenAICompatTransport,
     OpenAIOfficialTransport,
     RecordedTransport,
@@ -407,6 +408,96 @@ def test_select_transport_class_routes_dashscope_by_base_url() -> None:
     )
 
 
+# ---------------------------------------------------------------------------
+# Moonshot — server-side temperature constraint sanitization
+# ---------------------------------------------------------------------------
+
+
+def test_base_transport_adjust_temperature_is_identity() -> None:
+    """Default hook MUST NOT alter temperature — every non-Moonshot transport
+    relies on this. If this regresses, DashScope / DeepSeek / OpenAI / … will
+    silently start sending different temperatures than the caller requested.
+    """
+    t = GenericOpenAITransport(api_key="dummy", base_url="https://api.deepseek.com", timeout=10)
+    assert t._adjust_temperature(model="deepseek-chat", temperature=0.0) == 0.0
+    assert t._adjust_temperature(model="deepseek-chat", temperature=0.7) == 0.7
+    assert t._adjust_temperature(model="anything", temperature=1.5) == 1.5
+
+
+def test_moonshot_transport_forces_temperature_for_reasoning_variants() -> None:
+    """Kimi K2 reasoning variants only accept ``temperature == <forced>`` on
+    the wire; any other value returns HTTP 400. The transport must clamp to
+    the forced value regardless of what the StageProfile asks for.
+    """
+    t = MoonshotTransport(api_key="dummy", base_url="https://api.moonshot.cn/v1", timeout=10)
+    # forced to 1.0
+    assert t._adjust_temperature(model="kimi-k2.6", temperature=0.2) == 1.0
+    assert t._adjust_temperature(model="kimi-k2.6-1106", temperature=0.1) == 1.0
+    assert t._adjust_temperature(model="kimi-k2-thinking", temperature=0.0) == 1.0
+    assert t._adjust_temperature(model="kimi-k2-thinking-128k", temperature=0.5) == 1.0
+    assert t._adjust_temperature(model="kimi-k2.5", temperature=0.2) == 1.0
+    # forced to 0.6
+    assert t._adjust_temperature(model="kimi-for-coding", temperature=0.0) == 0.6
+    # no-op when caller already supplied the forced value
+    assert t._adjust_temperature(model="kimi-k2.6", temperature=1.0) == 1.0
+
+
+def test_moonshot_transport_clamps_non_reasoning_to_one() -> None:
+    """Non-reasoning Moonshot models accept [0, 1]; values above 1 also 400.
+    Pass through inside the range; clamp above."""
+    t = MoonshotTransport(api_key="dummy", base_url="https://api.moonshot.cn/v1", timeout=10)
+    assert t._adjust_temperature(model="moonshot-v1-32k", temperature=0.1) == 0.1
+    assert t._adjust_temperature(model="kimi-k2-instruct-0905", temperature=0.2) == 0.2
+    assert t._adjust_temperature(model="moonshot-v1-32k", temperature=1.0) == 1.0
+    assert t._adjust_temperature(model="moonshot-v1-32k", temperature=1.5) == 1.0
+
+
+def test_moonshot_transport_sends_forced_temperature_on_wire(
+    monkeypatch: pytest.MonkeyPatch,
+) -> None:
+    """End-to-end wire-shape regression: chat() composes kwargs with the
+    *adjusted* temperature, not the caller's original value."""
+    from types import SimpleNamespace
+
+    captured: dict[str, Any] = {}
+
+    def fake_create(**kwargs: Any) -> Any:
+        captured.update(kwargs)
+        choice = SimpleNamespace(message=SimpleNamespace(content='{"k": 1}'))
+        return SimpleNamespace(
+            choices=[choice],
+            usage=SimpleNamespace(prompt_tokens=1, completion_tokens=1),
+        )
+
+    t = MoonshotTransport(api_key="dummy", base_url="https://api.moonshot.cn/v1", timeout=10)
+    monkeypatch.setattr(t._client.chat.completions, "create", fake_create)
+    t.chat(
+        model="kimi-k2.6",
+        system="s",
+        user="u",
+        temperature=0.2,
+        max_tokens=64,
+        thinking=False,
+        reasoning_effort="",
+    )
+    assert captured["temperature"] == 1.0
+
+
+def test_select_transport_class_routes_moonshot() -> None:
+    """``api.moonshot.cn`` (with or without ``/v1``) routes to MoonshotTransport
+    via substring match, same pattern as the other entries in the routing table.
+    """
+    assert _select_transport_class("https://api.moonshot.cn/v1") is MoonshotTransport
+    assert _select_transport_class("https://api.moonshot.cn") is MoonshotTransport
+
+
+def test_moonshot_transport_inherits_reasoning_effort_default() -> None:
+    """Moonshot does not document support for the ``reasoning_effort`` field;
+    it inherits the base-class default (False) — confirm we didn't accidentally
+    flip it on along with adding the transport."""
+    assert MoonshotTransport.supports_reasoning_effort is False
+
+
 # ---------------------------------------------------------------------------
 # v0.6 H5 — reasoning_effort gating
 # ---------------------------------------------------------------------------
@@ -532,4 +623,4 @@ def test_select_transport_class_defaults_to_generic() -> None:
     actually reaches the wire; that case is covered separately below.
     """
     assert _select_transport_class("https://api.deepseek.com") is GenericOpenAITransport
-    assert _select_transport_class("https://api.moonshot.cn/v1") is GenericOpenAITransport
+    assert _select_transport_class("https://openrouter.ai/api/v1") is GenericOpenAITransport