nautechsystems
diff --git a/‎.cargo/audit.toml‎
Lines changed: 4 additions & 0 deletions b/‎.cargo/audit.toml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.cargo/config.toml‎
Lines changed: 2 additions & 0 deletions b/‎.cargo/config.toml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.codespellrc‎
Lines changed: 1 addition & 1 deletion b/‎.codespellrc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.docker/DockerfileUbuntu‎
Lines changed: 1 addition & 0 deletions b/‎.docker/DockerfileUbuntu‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.docker/nautilus_trader.dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎.docker/nautilus_trader.dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 0 additions & 1 deletion b/‎.github/CODEOWNERS‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎.github/OVERVIEW.md‎
Lines changed: 5 additions & 5 deletions b/‎.github/OVERVIEW.md‎
Lines changed: 5 additions & 5 deletions
diff --git a/‎.github/actionlint.yaml‎
Lines changed: 3 additions & 0 deletions b/‎.github/actionlint.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.github/actions/cargo-tool-install/action.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/actions/cargo-tool-install/action.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/actions/common-setup/action.yml‎
Lines changed: 82 additions & 52 deletions b/‎.github/actions/common-setup/action.yml‎
Lines changed: 82 additions & 52 deletions
@@ -7,6 +7,10 @@
 ignore = [
   # capnp unsound APIs, transitive via hypersync-client, awaiting upstream fix
   "RUSTSEC-2025-0143",
+  # paste unmaintained, transitive via alloy
+  "RUSTSEC-2024-0436",
+  # rand 0.8.5 unsoundness, transitive build-time only via pyo3-stub-gen
+  "RUSTSEC-2026-0097",
   # rsa Marvin Attack, transitive via sqlx-mysql, no fix available
   "RUSTSEC-2023-0071",
 ]
@@ -10,6 +10,8 @@ rustflags = [
 
 [target.'cfg(target_os = "linux")']
 rustflags = [
+  "-C",
+  "link-arg=-fuse-ld=lld",
   "-C",
   "link-arg=-Wl,--gc-sections",
   "-C",
 
@@ -3,4 +3,4 @@
 
 [codespell]
 # Comma-separated list of words to ignore
-ignore-words-list = ACN,ALO,Alo,allTime,BadAloPx,CapTable,arange,crate,datas,deques,disjointness,HIGHTER,Implementors,ot,pre,ser,socio-economic,Superseed,SUPERSEED,trough,usIn,zar
+ignore-words-list = ACN,ALO,Alo,allTime,BadAloPx,CapTable,arange,crate,datas,deques,disjointness,HIGHTER,Implementors,ot,pre,ser,socio-economic,Superseed,SUPERSEED,te,trough,usIn,zar
@@ -29,6 +29,7 @@ ENV CXX="clang++"
 RUN apt-get update && apt-get install -y \
     curl \
     clang \
+    lld \
     git \
     pkg-config \
     make \
 
@@ -17,7 +17,7 @@ FROM base AS builder
 
 # Install build deps
 RUN apt-get update && \
-    apt-get install -y curl clang git make pkg-config capnproto libcapnp-dev && \
+    apt-get install -y curl clang lld git make pkg-config capnproto libcapnp-dev && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
 
@@ -11,7 +11,6 @@
 # =============================================================================
 /.github/workflows/              @nautechsystems/core
 /.github/actions/                @nautechsystems/core
-/.github/dependabot.yml          @nautechsystems/core
 /.github/CODEOWNERS              @nautechsystems/core
 
 # =============================================================================
 
@@ -9,7 +9,7 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
 ## Composite actions (`.github/actions`)
 
 - **cargo-tool-install**: installs cargo tools (cargo-deny, cargo-vet) with caching.
-- **common-setup**: prepares the environment (OS packages, Rust toolchain, Rust cache, Python, pre-commit, swap space).
+- **common-setup**: prepares the environment (OS packages, Rust toolchain, Rust cache, Python, prek, swap space).
 - **common-test-data**: caches large test data under `tests/test_data/large`.
 - **common-wheel-build**: builds and installs Python wheels across Linux, macOS, and Windows for multiple Python versions.
 - **install-capnp**: installs the Cap'n Proto compiler with caching across Linux, macOS, and Windows.
@@ -24,11 +24,11 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
 - **cli-binaries.yml**: builds and publishes CLI binaries for multiple platforms.
 - **codeql-analysis.yml**: CodeQL security scans for Python and Rust on PRs and via cron.
 - **copilot-setup-steps.yml**: environment setup for GitHub Copilot coding agent.
-- **coverage.yml**: coverage report generation for the `nightly` branch.
+- **coverage.yml**: coverage report generation, currently paused and runs only on `workflow_dispatch`.
 - **docker.yml**: builds and pushes multi-platform Docker images (`nautilus_trader`, `jupyterlab`) using Buildx and native ARM runners.
 - **nightly-docs-features-check.yml**: nightly docs.rs build checks and crate feature compatibility verification.
 - **nightly-merge.yml**: auto-merges `develop` into `nightly` when CI succeeds.
-- **nightly-tests.yml**: extended test suites (turmoil network tests) that are too slow for PR builds.
+- **nightly-tests.yml**: extended test suites too slow for PR builds - turmoil network tests plus macOS, Windows, and Linux ARM build-and-test jobs that run daily at 12:00 UTC to give early visibility on develop before `nightly-merge` at 14:00 UTC.
 - **performance.yml**: Rust/Python benchmarks on `nightly`, reporting to CodSpeed.
 - **security-audit.yml**: nightly supply chain security checks (cargo-audit, cargo-deny, cargo-vet, osv-scanner).
 - **trigger-reindexing.yml**: triggers documentation reindexing for search.
@@ -45,7 +45,7 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
 ### Dependency security
 
 - **cargo-deny**: Rust dependency auditing for security advisories (RUSTSEC/GHSA), license compliance, banned crates, and supply chain integrity. Configuration in `deny.toml`.
-- **Dependency pinning**: Key tools (pre-commit, Python versions, Rust toolchain, cargo-nextest, uv) are locked to fixed versions or SHAs. The uv version is pinned via `required-version` in `pyproject.toml` and extracted by `scripts/uv-version.sh` for CI, Docker, and local builds.
+- **Dependency pinning**: Key tools (prek, Python versions, Rust toolchain, cargo-nextest, uv) are locked to fixed versions or SHAs. The uv version is pinned via `required-version` in `pyproject.toml` and extracted by `scripts/uv-version.sh` for CI, Docker, and local builds.
 - **Dependency cooldown**: Python dependency resolution excludes packages published within the last 3 days (`exclude-newer = "3 days"` in `[tool.uv]`). This gives the community time to detect and quarantine compromised releases before they enter the lockfile.
 - **Code scanning**: CodeQL is enabled for continuous security analysis of Python and Rust code on all PRs and weekly via cron.
 
@@ -54,7 +54,7 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
 - **Build attestations**: All published artifacts include cryptographic SLSA build provenance attestations, linking each artifact to a specific commit SHA. Verify via `gh attestation verify`.
 - **Immutable action pinning**: All third-party GitHub Actions are pinned to specific commit SHAs.
 - **Docker image pinning**: Base images in Dockerfiles and service containers in workflows are pinned to SHA256 digests to prevent supply-chain attacks via tag mutation.
-- **Caching**: Rust target directory cache (`Swatinem/rust-cache`), pip/site-packages, pre-commit, and test data caches speed up workflows while preserving hermetic (reproducible) builds. Rust cache saves are restricted to push events to prevent PR cache pollution.
+- **Caching**: Rust target directory cache (`Swatinem/rust-cache`), prek hook environments, and test data caches speed up workflows while preserving hermetic (reproducible) builds. Rust cache saves are restricted to push events to prevent PR cache pollution.
 - **Concurrency**: PR CI runs are cancelled when a new push arrives to the same PR. Push events to mainline branches are never cancelled.
 - **Runners**: Linux and Windows builds use Depot 8-core runners (32 GB RAM, 150 GB SSD). macOS builds use GitHub free runners. Lightweight jobs (plan, cargo-deny, cargo-vet, publish) use GitHub free runners. Custom runner labels are declared in `.github/actionlint.yaml`.
 
 
@@ -5,3 +5,6 @@ self-hosted-runner:
     - depot-windows-2022-8
     - depot-macos-14
     - depot-macos-15
+    - self-hosted-linux-x86
+    - build
+    - build-v2
@@ -31,14 +31,14 @@ runs:
 
     # https://github.com/actions-rust-lang/setup-rust-toolchain
     - name: Set up Rust toolchain
-      uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4
       with:
         toolchain: ${{ env.TOOLCHAIN }}
         override: true
 
     # https://github.com/actions/cache
     - name: Cache tool binary
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
         path: ${{ runner.tool_cache }}/${{ inputs.tool-name }}
         key: ${{ inputs.tool-name }}-bin-${{ env.TOOL_VERSION }}-${{ runner.os }}-${{ env.TOOLCHAIN }}
 
@@ -29,14 +29,40 @@ inputs:
     description: Whether to save the Rust cache (set to false for read-only cache on PR builds)
     required: false
     default: "true"
+  rust-cache-enabled:
+    description: >-
+      Whether to invoke Swatinem/rust-cache at all (set to false on self-hosted
+      runners using a persistent on-disk CARGO_TARGET_DIR).
+    required: false
+    default: "true"
+  uv-cache-enabled:
+    description: >-
+      Whether to persist the uv cache with GitHub Actions cache: true, false, or
+      auto (enabled on GitHub-hosted runners, disabled on self-hosted runners).
+    required: false
+    default: "auto"
+  prek-cache-enabled:
+    description: >-
+      Whether to persist the prek cache with GitHub Actions cache: true, false, or
+      auto (enabled on GitHub-hosted runners, disabled on self-hosted runners).
+    required: false
+    default: "auto"
 
 runs:
   using: "composite"
   steps:
     # > --------------------------------------------------
     # > OS
+    # Auto-skip on the nautilus-ci-runner-* self-hosted pool: those machines
+    # have ample disk and the action's tool-cache/docker-images cleanup
+    # actively erases the pre-installed Python toolcache and cached Docker
+    # layers we want to keep across runs. Depot runners and GitHub-hosted
+    # runners still need the cleanup, so they remain unaffected.
     - name: Free disk space (Ubuntu)
-      if: inputs.free-disk-space == 'true' && runner.os == 'Linux'
+      if: >-
+        inputs.free-disk-space == 'true'
+        && runner.os == 'Linux'
+        && !startsWith(runner.name, 'nautilus-ci-runner-')
       # https://github.com/jlumbroso/free-disk-space
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
@@ -98,7 +124,7 @@ runs:
       shell: bash
       run: |
         sudo apt-get update -o Acquire::Retries=5
-        sudo apt-get install -y curl clang git make pkg-config ripgrep -o Acquire::Retries=5
+        sudo apt-get install -y curl clang lld git make pkg-config ripgrep -o Acquire::Retries=5
         sudo apt-get install -y python3-dev libpython3-dev -o Acquire::Retries=5
         sudo apt-get clean
         sudo rm -rf /var/lib/apt/lists/*
@@ -123,7 +149,7 @@ runs:
 
     # https://github.com/actions-rust-lang/setup-rust-toolchain
     - name: Set up Rust toolchain
-      uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+      uses: actions-rust-lang/setup-rust-toolchain@150fca883cd4034361b621bd4e6a9d34e5143606 # v1.15.4
       with:
         toolchain: ${{ env.TOOLCHAIN }}
         components: clippy,rustfmt
@@ -132,6 +158,7 @@ runs:
 
     # https://github.com/Swatinem/rust-cache
     - name: Rust cache
+      if: inputs.rust-cache-enabled == 'true'
       uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
       with:
         workspaces: ${{ inputs.rust-cache-workspaces || '. -> target' }}
@@ -153,7 +180,7 @@ runs:
     - name: Install cargo-nextest
       if: inputs.build-type != 'pre-commit' && runner.os != 'macOS'
       # https://github.com/taiki-e/install-action
-      uses: taiki-e/install-action@cede0bb282aae847dfa8aacca3a41c86d973d4d7 # v2.68.1
+      uses: taiki-e/install-action@0d865d5cc6d507df4765f1f866bfae8bab4e2a73 # v2.69.7
       with:
         tool: cargo-nextest@${{ env.CARGO_NEXTEST_VERSION }}
 
@@ -180,24 +207,12 @@ runs:
       run: |
         echo "$HOME/.local/bin" >> "$GITHUB_PATH"
 
-    - name: Get pre-commit version
-      if: inputs.build-type == 'pre-commit'
-      shell: bash
-      run: |
-        echo "PRE_COMMIT_VERSION=$(bash scripts/pre-commit-version.sh)" >> $GITHUB_ENV
-
-    - name: Get cache scope and uv lock hash
+    - name: Get cache scope
       shell: bash
       env:
         CACHE_SCOPE: ${{ runner.os }}-${{ runner.arch }}-py${{ inputs.python-version }}
       run: |
         echo "CACHE_SCOPE=$CACHE_SCOPE" >> "$GITHUB_ENV"
-        python - <<'PY' >> "$GITHUB_ENV"
-        import hashlib
-        from pathlib import Path
-
-        print(f"UV_LOCK_HASH={hashlib.sha256(Path('uv.lock').read_bytes()).hexdigest()}")
-        PY
 
     - name: Get pre-commit config hash
       if: inputs.build-type == 'pre-commit'
@@ -212,20 +227,13 @@ runs:
         )
         PY
 
-    # Keep this exact-keyed since site-packages is an installed environment, not a download cache
-    - name: Cache Python site-packages
-      if: inputs.build-type == 'pre-commit'
-      id: cached-site-packages
-      # https://github.com/actions/cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-      with:
-        path: ~/.local/lib/python${{ inputs.python-version }}/site-packages
-        key: ${{ env.CACHE_SCOPE }}-site-packages-pre-commit-${{ env.PRE_COMMIT_VERSION }}
-
-    - name: Install pre-commit
+    - name: Install prek
       if: inputs.build-type == 'pre-commit'
       shell: bash
-      run: pip install pre-commit==${{ env.PRE_COMMIT_VERSION }}
+      run: |
+        PREK_VERSION="$(bash scripts/tool-version.sh prek)"
+        curl --proto '=https' --tlsv1.2 -LsSf \
+          "https://github.com/j178/prek/releases/download/v${PREK_VERSION}/prek-installer.sh" | sh
 
     # > --------------------------------------------------
     # > UV
@@ -236,39 +244,61 @@ runs:
 
     - name: Install uv
       # https://github.com/astral-sh/setup-uv
-      uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+      uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
       with:
         version: ${{ env.UV_VERSION }}
+        enable-cache: ${{ inputs.uv-cache-enabled }}
+        cache-suffix: ${{ env.CACHE_SCOPE }}-uv-${{ env.UV_VERSION }}
+        prune-cache: true
 
     - name: Set uv cache-dir
       shell: bash
       run: |
         echo "UV_CACHE_DIR=$(uv cache dir)" >> $GITHUB_ENV
 
-    - name: Cached uv
-      # Skip on macOS: hashFiles() broken in composite actions after Nov 20 runner update
-      # See: https://github.com/actions/runner/issues/3765
-      if: runner.os != 'macOS'
-      id: cached-uv
-      # https://github.com/actions/cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
-      with:
-        path: ${{ env.UV_CACHE_DIR }}
-        key: ${{ env.CACHE_SCOPE }}-uv-${{ env.UV_VERSION }}-${{ env.UV_LOCK_HASH }}
-        restore-keys: |
-          ${{ env.CACHE_SCOPE }}-uv-${{ env.UV_VERSION }}-
+    # Self-hosted runners skip setup-uv's save-cache (and its built-in prune) under auto.
+    - name: Prune uv cache
+      shell: bash
+      run: uv cache prune --ci
 
     # > --------------------------------------------------
-    # > pre-commit
-    - name: Cached pre-commit
-      if: inputs.build-type == 'pre-commit' && runner.os != 'macOS'
-      # Skip on macOS: hashFiles() broken in composite actions after Nov 20 runner update
-      # See: https://github.com/actions/runner/issues/3765
-      id: cached-pre-commit
+    # > prek (pre-commit hook environments)
+    - name: Cached pre-commit environments
+      # Skip on macOS: hashFiles() broken in composite actions, see actions/runner#3765
+      if: >-
+        inputs.build-type == 'pre-commit'
+        && runner.os != 'macOS'
+        && (inputs.prek-cache-enabled == 'true'
+            || (inputs.prek-cache-enabled == 'auto'
+                && runner.environment != 'self-hosted'))
+      id: cached-prek
       # https://github.com/actions/cache
-      uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+      uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
       with:
-        path: ~/.cache/pre-commit
-        key: ${{ env.CACHE_SCOPE }}-pre-commit-${{ env.PRE_COMMIT_VERSION }}-${{ env.PRE_COMMIT_CONFIG_HASH }}
+        path: ~/.cache/prek
+        key: ${{ env.CACHE_SCOPE }}-prek-${{ env.PRE_COMMIT_CONFIG_HASH }}
         restore-keys: |
-          ${{ env.CACHE_SCOPE }}-pre-commit-${{ env.PRE_COMMIT_VERSION }}-
+          ${{ env.CACHE_SCOPE }}-prek-
+
+    # > --------------------------------------------------
+    # > Cache footprint
+    - name: Report cache footprint
+      if: runner.os != 'Windows'
+      shell: bash
+      run: |
+        {
+          echo "## Cache footprint"
+          echo
+          echo '```'
+          df -h "$HOME" 2>/dev/null || df -h /
+          echo
+          for path in \
+            "$HOME/.cache/uv" \
+            "$HOME/.cache/prek" \
+            "$HOME/.cache/cargo-target" \
+            "$HOME/.cargo/registry" \
+            "$HOME/.cargo/git"; do
+            [ -d "$path" ] && du -sh "$path" 2>/dev/null || true
+          done
+          echo '```'
+        } >> "$GITHUB_STEP_SUMMARY"