Add authenticated strategy switch console

[Pigbibi]

Summary

• add a manual multi-platform strategy switch workflow for LongBridge, IBKR, Schwab, Firstrade, and the firsttrade alias
• add the GitHub Pages switch console plus authenticated Cloudflare Worker backend
• keep the public page read-only; allowlisted GitHub logins can dispatch the switch workflow
• add GitHub OAuth 2.0 login management at /admin with Cloudflare KV-backed allowlist, admin list, account options, and audit log
• configure the account dropdown shape for LongBridge hk/sg/paper, IBKR u15998061/u16608560/u18336562, Schwab default, and Firstrade default
• document Worker secrets, KV binding, OAuth setup, and admin permission boundaries

Verification

• node --check --input-type=module < web/strategy-switch-console/worker.js
• node --check --input-type=module < web/strategy-switch-console/page_asset.js
• sed -n '/<script>/,/<\\/script>/p' docs/index.html | sed '1d;$d' | node --check --input-type=commonjs
• python3 -m json.tool web/strategy-switch-console/account-options.example.json >/dev/null
• python3 -m py_compile scripts/sync_strategy_switch_page_asset.py scripts/build_runtime_switch.py scripts/runtime_settings.py tests/test_runtime_settings.py
• timeout 120 python3 scripts/runtime_settings.py validate
• timeout 180 python3 -m unittest discover -s tests -v
• Worker smoke test: public page 200, unauthenticated admin API 401, signed admin /admin 200, KV save 200
• GitHub Actions validate checks passed on PR Add authenticated strategy switch console #9

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ca61aadc8f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use a deployable compatibility date

As of this commit's review date (2026-06-08), this example config sets compatibility_date to tomorrow, while Cloudflare's Wrangler configuration guidance says to set this field to today's date. Anyone following the documented cp ... wrangler.toml then wrangler deploy path today can be blocked by the future runtime date; use 2026-06-08 or an earlier supported date instead.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5083ad299e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Validate custom mounts before embedding service targets

When IBKR has an existing CLOUD_RUN_SERVICE_TARGETS_JSON, these lines move the mounts into the nested service-target payload and then clear the top-level plugin_mounts_variable, so the later validate_target(target) call no longer validates custom mounts. For example, --plugin-mode custom with a mount whose signal_path is http://... is rejected without service-target patching, but is accepted and written into CLOUD_RUN_SERVICE_TARGETS_JSON in this branch, leaving the platform sync to consume invalid plugin config. Validate the mounts before clearing them or validate the patched service-target payload.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1553fe900a

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve secret-name validation when patching service targets

When IBKR has an existing CLOUD_RUN_SERVICE_TARGETS_JSON, this replacement leaves validate_extra_variables() seeing only the wrapper variable name, after _build_target_entry() has already embedded the original extra_variables inside the service-target payload. In that scenario, an input like extra_variables_json={"BROKER_API_KEY":"..."} is rejected without service-target patching but is accepted and written into CLOUD_RUN_SERVICE_TARGETS_JSON here, bypassing the secret-name guard that was added for non-secret variables.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e989834082

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove stale plugin mounts when replacing IBKR targets

When patching an existing IBKR CLOUD_RUN_SERVICE_TARGETS_JSON entry, merging {**entry, **replacement} keeps any old IBKR_STRATEGY_PLUGIN_MOUNTS_JSON field if the new switch has no mounts, because _build_target_entry() omits that key for plugin_mode=none or for strategies without auto mounts. In that scenario the selected service gets the new runtime_target.strategy_profile but still deploys the previous plugin mount payload, so a user cannot actually disable or clear stale plugin mounts through the switch workflow.

Useful? React with 👍 / 👎.