v3.0.6

Signed-off-by: Dinger <quantdinger@gmail.com>

Author: quantdinger-lab

backend_api_python/app/__init__.py

@@ -277,7 +277,46 @@ def create_app(config_name='default'):
         ).split(",")
         if o.strip()
     ]
-    CORS(app, origins=_cors_origins)
+
+    # ------------------------------------------------------------------
+    # Capacitor / Cordova / Ionic mobile app origins.
+    #
+    # When the H5 frontend is packaged as a native app via Capacitor, the
+    # WebView loads pages from a synthetic origin (NOT from your real
+    # domain), and every API request to the production backend is treated
+    # as cross-origin by the WebView. The exact origin depends on the
+    # Capacitor server config:
+    #   - Android (capacitor 6, androidScheme="https") → https://localhost
+    #   - Android (capacitor 5 or scheme="http")      → http://localhost
+    #   - iOS (capacitor 6, iosScheme="https")        → capacitor://localhost
+    #   - iOS legacy (ionic://)                       → ionic://localhost
+    #   - Cordova / file:// loaded apps               → null  (Origin: null)
+    #
+    # We always allow these so a packaged QuantDinger mobile app can call
+    # the backend without each user editing FRONTEND_URL. They are *fixed
+    # synthetic origins controlled by the OS / Capacitor*, not user input,
+    # so this does not widen exposure to real third-party sites.
+    _capacitor_origins = [
+        "https://localhost",        # Android, Capacitor 6, androidScheme=https
+        "http://localhost",         # Android legacy
+        "capacitor://localhost",    # iOS, Capacitor 6, iosScheme=capacitor
+        "ionic://localhost",        # iOS legacy / Ionic
+        "https://localhost:*",      # rare custom port
+        "http://localhost:*",
+    ]
+    for origin in _capacitor_origins:
+        if origin not in _cors_origins:
+            _cors_origins.append(origin)
+
+    # send_wildcard=False + supports_credentials=False is the safe default
+    # for token-in-Authorization-header auth (which is what the mobile app
+    # uses; see api/index.js → `Authorization: Bearer ${token}`).
+    CORS(
+        app,
+        origins=_cors_origins,
+        supports_credentials=False,
+        send_wildcard=False,
+    )
     logger.info(f"CORS allowed origins: {_cors_origins}")
 
     setup_logger()

backend_api_python/app/data_sources/factory.py

@@ -38,16 +38,41 @@ class DataSourceFactory:
 
     _sources: Dict[str, BaseDataSource] = {}
 
+    # Markets that pass through normalize_market unchanged.
+    _CANONICAL_MARKETS = ("Crypto", "Forex", "Futures", "USStock", "CNStock", "HKStock", "MOEX")
+
     @classmethod
     def normalize_market(cls, market: str) -> str:
-        """统一市场枚举大小写与别名，供路由与数据源入口使用。"""
+        """
+        Normalize a market category string.
+
+        IMPORTANT: empty / unknown input used to silently degrade to "Crypto",
+        which made stock symbols like TSLA quietly route to CCXT/Coinbase. We
+        keep that fallback for backward compatibility (some callers still rely
+        on it) but emit a loud WARNING so the misroute is no longer invisible.
+        Always pass a real market category from the caller.
+        """
         if not market:
+            logger.warning(
+                "DataSourceFactory.normalize_market(): empty market category — "
+                "falling back to 'Crypto'. Caller MUST supply an explicit market "
+                "(USStock / Forex / Futures / Crypto / CNStock / HKStock / MOEX). "
+                "This fallback is deprecated and will become a hard error.",
+                stack_info=False,
+            )
             return "Crypto"
         raw = str(market).strip()
-        if raw in ("Crypto", "Forex", "Futures", "USStock", "CNStock", "HKStock", "MOEX"):
+        if raw in cls._CANONICAL_MARKETS:
             return raw
         key = raw.lower().replace(" ", "").replace("-", "_")
-        return _MARKET_ALIASES.get(key, raw)
+        if key in _MARKET_ALIASES:
+            return _MARKET_ALIASES[key]
+        logger.warning(
+            "DataSourceFactory.normalize_market(): unknown market %r — "
+            "passing through as-is; downstream get_source() will likely fail.",
+            raw,
+        )
+        return raw
 
     @classmethod
     def get_source(cls, market: str) -> BaseDataSource:
@@ -74,13 +99,22 @@ def get_data_source(cls, name: str) -> BaseDataSource:
         In the localized Python backend we primarily use `get_source("Crypto")`.
         """
         key = (name or "").strip().lower()
-        if key in ("crypto", "binance", "okx", "bybit", "bitget", "kucoin", "gate", "mexc", "kraken", "coinbase"):
+        if key in ("crypto", "binance", "okx", "bybit", "bitget", "kucoin", "gate", "mexc", "kraken", "coinbase", "alpaca_crypto"):
             return cls.get_source("Crypto")
         if key in ("futures",):
             return cls.get_source("Futures")
-        if key in ("forex", "fx"):
+        if key in ("forex", "fx", "mt5"):
             return cls.get_source("Forex")
-        # Default to Crypto for safety (most callers want a ticker for crypto pairs).
+        if key in ("usstock", "us_stocks", "stock", "stocks", "ibkr", "alpaca"):
+            return cls.get_source("USStock")
+        # Unknown alias — log and default to Crypto (legacy behavior). Callers
+        # should migrate to the explicit `get_source(market)` API.
+        logger.warning(
+            "DataSourceFactory.get_data_source(%r): unknown alias — falling back "
+            "to Crypto. Migrate caller to get_source(market) with an explicit "
+            "market category.",
+            name,
+        )
         return cls.get_source("Crypto")
 
     @classmethod

backend_api_python/app/routes/__init__.py

@@ -28,6 +28,7 @@ def register_routes(app: Flask):
     from app.routes.billing import billing_bp
     from app.routes.quick_trade import quick_trade_bp
     from app.routes.experiment import experiment_bp
+    from app.routes.policy import policy_bp
 
     app.register_blueprint(health_bp)
     app.register_blueprint(auth_bp, url_prefix='/api/auth')   # Auth routes
@@ -51,6 +52,7 @@ def register_routes(app: Flask):
     app.register_blueprint(billing_bp, url_prefix='/api/billing')
     app.register_blueprint(quick_trade_bp, url_prefix='/api/quick-trade')
     app.register_blueprint(experiment_bp, url_prefix='/api/experiment')
+    app.register_blueprint(policy_bp, url_prefix='/api/policy')
 
     # Agent Gateway (/api/agent/v1) — versioned, scoped surface for AI agents.
     # See docs/agent/AI_INTEGRATION_DESIGN.md.

backend_api_python/app/routes/policy.py

@@ -0,0 +1,43 @@
+"""
+Policy / capability discovery routes.
+
+Read-only endpoints that expose backend policy matrices to the frontend so
+the UI does not have to hard-code its own copy of broker x market rules.
+The frontend fetches these once at app boot and caches them in
+sessionStorage; nothing here is per-user, so caching is safe.
+"""
+from flask import Blueprint, jsonify
+
+from app.services.broker_market_policy import to_dict as broker_market_policy_dict
+
+
+policy_bp = Blueprint('policy', __name__)
+
+
+@policy_bp.route('/broker-market', methods=['GET'])
+def get_broker_market_policy():
+    """Return the full broker x market x market_type compatibility matrix.
+
+    Response shape (kept stable for the frontend):
+      {
+        "code": 1,
+        "data": {
+          "broker_markets": {
+              "ibkr":   {"USStock": ["spot"]},
+              "mt5":    {"Forex":   ["spot"]},
+              "alpaca": {"USStock": ["spot"], "Crypto": ["spot"]},
+              "binance": {"Crypto":  ["spot", "swap"]},
+              ...
+          },
+          "long_only_brokers": ["alpaca", "ibkr"],
+          "bot_type_markets": {
+              "grid":       ["Crypto", "Forex"],
+              "martingale": ["Crypto"],
+              "dca":        ["Crypto", "Forex", "USStock"],
+              "trend":      ["Crypto", "Forex", "USStock"]
+          },
+          "live_market_categories": ["Crypto", "Forex", "USStock"]
+        }
+      }
+    """
+    return jsonify({"code": 1, "data": broker_market_policy_dict()})