nanobook 0.16.2

Deterministic Rust execution engine for trading backtests: limit-order book, portfolio simulation, metrics, risk checks, and Python bindings
Documentation
name: CI

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

# Default to least privilege (I1). Jobs that need more (e.g.,
# writing to the repo) must override at job scope. CI is read-only
# by construction: it tests, lints, and reports results.
permissions:
  contents: read

env:
  CARGO_TERM_COLOR: always

jobs:
  test:
    name: Test (${{ matrix.os }}, Rust ${{ matrix.rust }})
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        include:
          - { os: ubuntu-latest,  rust: stable }
          - { os: macos-latest,   rust: stable }
          - { os: windows-latest, rust: stable }
          - { os: ubuntu-latest,  rust: "1.85" }
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.14"

      - name: Install Rust
        uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9  # master @ 2026-05-21
        with:
          toolchain: ${{ matrix.rust }}

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2

      - name: Run tests (all features)
        run: cargo test --all-features

      - name: Run tests (no default features)
        run: cargo test --no-default-features

  failure-injection:
    name: Failure Injection Tests
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Install Rust
        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-21

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2

      - name: Run IBKR F6 reconnect drill test
        run: cargo test -p nanobook-broker --test ibkr_f6_reconnect_drill

      - name: Run Binance F1 idempotency test
        run: cargo test -p nanobook-broker --test binance_f_bin1_idempotency --features binance

      - name: Run Binance F2 reconnect drill test
        run: cargo test -p nanobook-broker --test binance_f_bin2_reconnect_drill --features binance

  python-test:
    name: Python (${{ matrix.os }}, ${{ matrix.python }})
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        # All Python versions on Linux; latest only on Mac/Windows
        include:
          - { os: ubuntu-latest,  python: "3.11" }
          - { os: ubuntu-latest,  python: "3.12" }
          - { os: ubuntu-latest,  python: "3.13" }
          - { os: ubuntu-latest,  python: "3.14" }
          - { os: macos-latest,   python: "3.14" }
          - { os: windows-latest, python: "3.14" }
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: ${{ matrix.python }}

      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2

      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-21

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          key: python-${{ matrix.python }}

      - name: Build and install Python extension
        working-directory: python
        run: uv sync --python ${{ matrix.python }} --group dev

      - name: Run Python tests (property + unit)
        working-directory: python
        run: uv run --python ${{ matrix.python }} --group dev python -m pytest tests/ -v --ignore=tests/reference

  lint:
    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.14"

      - name: Install Rust
        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-21
        with:
          components: clippy, rustfmt

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2

      - name: Check formatting
        run: cargo fmt --all -- --check

      - name: Clippy
        run: cargo clippy --all-targets --all-features -- -D warnings

  security:
    name: Security audit
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Install Rust
        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-21

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2

      # Pin tool versions (I1). --locked also freezes the tool's
      # own transitive deps, so the install is fully
      # deterministic. Bump versions deliberately rather than
      # letting CI silently pick up whatever is latest.
      - name: Install cargo-deny
        run: cargo install cargo-deny --version 0.19.4 --locked

      - name: Run cargo-deny
        run: cargo deny check

      - name: Install cargo-audit
        run: cargo install cargo-audit --version 0.22.1 --locked

      - name: Run cargo-audit
        run: cargo audit

  coverage:
    name: Code coverage
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Install Rust
        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-21

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          key: coverage

      - name: Install cargo-llvm-cov
        run: cargo install cargo-llvm-cov --version 0.8.5 --locked

      - name: Generate coverage
        run: cargo llvm-cov --all-features --lcov --output-path lcov.info

      - name: Upload to Codecov
        uses: codecov/codecov-action@75cd11691c0faa626561e295848008c8a7dddffe # v5.5.4
        with:
          files: lcov.info
          fail_ci_if_error: false

  bench:
    name: Benchmark
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - name: Install Rust
        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-21

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2

      - name: Run benchmarks
        run: cargo bench --all-features

  itch-replay-smoke:
    # Runs on a small committed fixture (a few seconds of real ITCH data),
    # no network. To regenerate the fixture from the full NASDAQ file, see
    # examples/itch-replay/README.md (download.sh + itch-slice).
    name: ITCH Replay Smoke (committed fixture)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.14"

      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2

      - name: Install Rust
        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-21

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          key: itch-replay-smoke

      - name: Decompress fixture
        working-directory: examples/itch-replay
        run: |
          mkdir -p data
          gunzip -c fixtures/smoke.itch.gz > data/smoke.itch

      - name: Run replay on fixture
        working-directory: examples/itch-replay
        run: |
          cargo run --release --example itch-replay --features itch -- \
            --input data/smoke.itch \
            --output-dir data/replay-smoke

      - name: Install Python dependencies
        working-directory: examples/itch-replay
        run: |
          uv venv
          uv pip install -r requirements.txt
          # report.py imports nanobook; build the local bindings.
          uv pip install ../../python

      - name: Generate report
        working-directory: examples/itch-replay
        run: uv run report.py --input data/replay-smoke/event-log.jsonl --output data/replay-smoke/report.html

      - name: Verify summary matches expected
        working-directory: examples/itch-replay
        run: diff -u expected/summary.txt data/replay-smoke/summary.txt

      - name: Verify invariants log is empty
        working-directory: examples/itch-replay
        run: |
          if [ -s data/replay-smoke/invariants.log ]; then
            echo "invariants.log should be empty but contains:"
            cat data/replay-smoke/invariants.log
            exit 1
          fi

  momentum-backtest-smoke:
    name: Momentum Backtest Smoke (cached prices)
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
        with:
          python-version: "3.14"

      - uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5.4.2

      - name: Install Rust
        uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable @ 2026-05-21

      - uses: Swatinem/rust-cache@e18b497796c12c097a38f9edb9d0641fb99eee32 # v2
        with:
          key: momentum-backtest-smoke

      # Price data is committed in the repo; no cache or download needed.
      - name: Install Python dependencies
        working-directory: examples/momentum-backtest
        run: |
          uv venv
          uv pip install -r requirements.txt
          # strategy.py imports nanobook; build the local bindings so the
          # smoke test exercises the code under review, not a PyPI wheel.
          uv pip install ../../python

      - name: Run backtest with cached data (zero cost)
        working-directory: examples/momentum-backtest
        run: |
          # Window must cover the 12-month momentum lookback before the
          # first rebalance, or the signal is all-NaN and no rebalances run.
          uv run python strategy.py \
            --data-file data/sp100_ohlcv.csv \
            --start-date 2019-01-01 \
            --end-date 2020-12-31 \
            --initial-cash 1000000 \
            --commission-bps 0 \
            --slippage-bps 0 \
            --output results.json

      - name: Generate report
        working-directory: examples/momentum-backtest
        run: uv run python report.py --results results.json --output report.html

      - name: Verify results exist
        working-directory: examples/momentum-backtest
        run: |
          if [ ! -f results.json ]; then
            echo "results.json not found"
            exit 1
          fi
          if [ ! -f report.html ]; then
            echo "report.html not found"
            exit 1
          fi