nautechsystems
diff --git a/‎.cargo/config.toml‎
Lines changed: 3 additions & 0 deletions b/‎.cargo/config.toml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎.codespellrc‎
Lines changed: 1 addition & 1 deletion b/‎.codespellrc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.config/nextest.toml‎
Lines changed: 5 additions & 0 deletions b/‎.config/nextest.toml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎.docker/DockerfileUbuntu‎
Lines changed: 3 additions & 2 deletions b/‎.docker/DockerfileUbuntu‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎.docker/nautilus_trader.dockerfile‎
Lines changed: 2 additions & 1 deletion b/‎.docker/nautilus_trader.dockerfile‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/OVERVIEW.md‎
Lines changed: 33 additions & 21 deletions b/‎.github/OVERVIEW.md‎
Lines changed: 33 additions & 21 deletions
diff --git a/‎.github/actions/cargo-tool-install/action.yml‎
Lines changed: 60 additions & 0 deletions b/‎.github/actions/cargo-tool-install/action.yml‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎.github/actions/common-setup/action.yml‎
Lines changed: 70 additions & 31 deletions b/‎.github/actions/common-setup/action.yml‎
Lines changed: 70 additions & 31 deletions
@@ -1,3 +1,6 @@
+[build]
+rustdocflags = ["--cfg", "docsrs", "-D", "warnings"]
+
 [target.'cfg(all())']
 rustflags = [
   # https://rust-lang.github.io/rust-clippy/master/index.html#drop_non_drop
 
@@ -3,4 +3,4 @@
 
 [codespell]
 # Comma-separated list of words to ignore
-ignore-words-list = ACN,ALO,Alo,BadAloPx,arange,crate,datas,deques,disjointness,HIGHTER,Implementors,ot,pre,ser,socio-economic,Superseed,SUPERSEED,zar
+ignore-words-list = ACN,ALO,Alo,BadAloPx,CapTable,arange,crate,datas,deques,disjointness,HIGHTER,Implementors,ot,pre,ser,socio-economic,Superseed,SUPERSEED,trough,usIn,zar
@@ -11,3 +11,8 @@ test-group = 'serial-tests'
 [[profile.default.overrides]]
 filter = 'test(test_order_book)'
 slow-timeout = { period = "300s" }
+
+# Websocket tests can be flaky due to timing on low-spec runners, give them extra retries
+[[profile.default.overrides]]
+filter = 'binary(websocket)'
+retries = 3
@@ -14,13 +14,14 @@
 # Remove the image
 # docker image rm nautilus-dev
 
-FROM ubuntu:22.04
+# Pin to specific digest for supply-chain security (ubuntu:22.04 as of 2025-11-29)
+FROM ubuntu@sha256:104ae83764a5119017b8e8d6218fa0832b09df65aae7d5a6de29a85d813da2fb
 
 # Set environment variables
 ENV DEBIAN_FRONTEND=noninteractive
 ENV BUILD_MODE=release
 ENV RUST_BACKTRACE=1
-ENV CARGO_INCREMENTAL=1
+ENV CARGO_INCREMENTAL=0
 ENV CC="clang"
 ENV CXX="clang++"
 
 
@@ -1,4 +1,5 @@
-FROM python:3.13-slim AS base
+# Pin to specific digest for supply-chain security (python:3.13-slim as of 2025-11-29)
+FROM python@sha256:326df678c20c78d465db501563f3492d17c42a4afe33a1f2bf5406a1d56b0e86 AS base
 ENV PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
     PIP_NO_CACHE_DIR=off \
 
@@ -16,31 +16,43 @@ CI/CD, testing, publishing, and automation within the NautilusTrader repository.
 
 ## Workflows (`.github/workflows`)
 
-- **build.yml**: runs pre-commit, cargo-deny security checks, Rust tests, Python tests, builds wheels on multiple platforms, and uploads wheel artifacts.
-- **build-docs.yml**: dispatches a repository event to trigger the documentation build on `master` and `nightly` pushes.
-- **codeql-analysis.yml**: schedules and runs CodeQL security scans for Python and Rust code on pull requests to develop and periodically via cron.
-- **coverage.yml**: (optional) coverage report generation for the `nightly` branch.
-- **docker.yml**: builds and pushes Docker images (`nautilus_trader`, `jupyterlab`) for `master` and `nightly` branches using Buildx and QEMU.
-- **nightly-merge.yml**: automatically merges `develop` into `nightly` when the latest `develop` workflows succeed.
-- **performance.yml**: runs Rust/Python performance benchmarks on the `nightly` branch and reports to CodSpeed.
+- **build.yml**: main CI pipeline - pre-commit, cargo-deny, Rust tests, Python tests, wheel builds, and artifact uploads.
+- **build-v2.yml**: CI pipeline for the v2 Rust-native system.
+- **build-docs.yml**: dispatches documentation build on `master` and `nightly` pushes.
+- **cli-binaries.yml**: builds and publishes CLI binaries for multiple platforms.
+- **codeql-analysis.yml**: CodeQL security scans for Python and Rust on PRs and via cron.
+- **copilot-setup-steps.yml**: environment setup for GitHub Copilot coding agent.
+- **coverage.yml**: coverage report generation for the `nightly` branch.
+- **docker.yml**: builds and pushes Docker images (`nautilus_trader`, `jupyterlab`) using Buildx and QEMU.
+- **nightly-merge.yml**: auto-merges `develop` into `nightly` when CI succeeds.
+- **performance.yml**: Rust/Python benchmarks on `nightly`, reporting to CodSpeed.
+- **trigger-reindexing.yml**: triggers documentation reindexing for search.
 
 ## Security
 
-- **CODEOWNERS**: Critical infrastructure files (workflows, dependencies, build configs, scripts) require Core team review before merge. This prevents unauthorized supply chain modifications and ensures all sensitive changes receive security review.
-- **Branch protection**: The develop branch requires PR reviews with CODEOWNERS enforcement and passing CI checks. External PRs must receive Core team approval before merge, while admin bypass is enabled for maintainer flexibility.
-- **cargo-deny**: Rust dependency auditing for security advisories (RUSTSEC/GHSA), license compliance (LGPL-3.0 compatibility), banned crates, and supply chain integrity. Runs in CI to block vulnerable or non-compliant dependencies. Configuration in `deny.toml`.
-- **Build attestations**: All published artifacts (wheels and source distributions) include cryptographic SLSA build provenance attestations. These prove artifacts were built by the official GitHub Actions workflow and link each artifact to a specific commit SHA, enabling users to verify authenticity via `gh attestation verify`. Attestations are generated for all releases, nightly builds, and develop builds published to PyPI, GitHub Releases, and the Nautech Systems package index.
-- **Code scanning**: CodeQL is enabled for continuous security analysis of Python and Rust code. Scans run on all PRs to develop and weekly via cron schedule.
-- **Immutable action pinning**: All third-party actions are pinned to specific commit SHAs to guarantee immutability and reproducibility.
-- **Hardened runners**: Most workflows employ `step-security/harden-runner` with `egress-policy: audit` to reduce attack surface and monitor outbound traffic.
-- **Secret management**: No secrets or credentials are stored in the repo. AWS, PyPI, and other credentials are provided via GitHub Secrets and injected at runtime.
+### Access controls
+
+- **CODEOWNERS**: Critical infrastructure files (workflows, dependencies, build configs, scripts) require Core team review before merge.
+- **Branch protection**: The develop branch requires PR reviews with CODEOWNERS enforcement and passing CI checks. External PRs must receive Core team approval before merge.
+- **Least-privilege tokens**: Workflows default `GITHUB_TOKEN` to `contents: read, actions: read` and selectively elevate scopes only for jobs that need them.
+- **Secret management**: No secrets or credentials are stored in the repo. Credentials are provided via GitHub Secrets and injected at runtime.
+
+### Dependency security
+
+- **cargo-deny**: Rust dependency auditing for security advisories (RUSTSEC/GHSA), license compliance, banned crates, and supply chain integrity. Configuration in `deny.toml`.
 - **Dependency pinning**: Key tools (pre-commit, Python versions, Rust toolchain, cargo-nextest) are locked to fixed versions or SHAs.
-- **Least-privilege tokens**: Workflows default the `GITHUB_TOKEN` to
-  `contents: read, actions: read` and selectively elevate scopes (e.g.
-  `contents: write`) only for the jobs that need to tag a release or upload
-  assets. This follows the principle of least privilege and limits blast
-  radius if a job is compromised.
-- **Caching**: Caches for sccache, pip/site-packages, pre-commit, and test data speed up workflows while preserving hermetic builds.
+- **Code scanning**: CodeQL is enabled for continuous security analysis of Python and Rust code on all PRs and weekly via cron.
+
+### Build integrity
+
+- **Build attestations**: All published artifacts include cryptographic SLSA build provenance attestations, linking each artifact to a specific commit SHA. Verify via `gh attestation verify`.
+- **Immutable action pinning**: All third-party GitHub Actions are pinned to specific commit SHAs.
+- **Docker image pinning**: Base images in Dockerfiles are pinned to SHA256 digests to prevent supply-chain attacks via tag mutation.
+- **Caching**: Caches for sccache, pip/site-packages, pre-commit, and test data speed up workflows while preserving hermetic (reproducible) builds.
+
+### Runtime hardening
+
+- **Hardened runners**: Most workflows employ `step-security/harden-runner` with `egress-policy: audit` to reduce attack surface and monitor outbound traffic.
 
 ### Allowed network endpoints
 
 
@@ -0,0 +1,60 @@
+name: cargo-tool-install
+description: Install a cargo tool with caching
+
+inputs:
+  tool-name:
+    description: The cargo tool to install (e.g., cargo-deny, cargo-vet)
+    required: true
+
+outputs:
+  version:
+    description: The installed tool version
+    value: ${{ steps.get-version.outputs.version }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Get tool version
+      id: get-version
+      shell: bash
+      env:
+        TOOL_NAME: ${{ inputs.tool-name }}
+      run: |
+        VERSION=$(bash scripts/cargo-tool-version.sh "$TOOL_NAME")
+        echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+        echo "TOOL_VERSION=$VERSION" >> "$GITHUB_ENV"
+        echo "TOOL_NAME=$TOOL_NAME" >> "$GITHUB_ENV"
+
+    - name: Get Rust toolchain version
+      shell: bash
+      run: echo "TOOLCHAIN=$(bash scripts/rust-toolchain.sh)" >> "$GITHUB_ENV"
+
+    # https://github.com/actions-rust-lang/setup-rust-toolchain
+    - name: Set up Rust toolchain
+      uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+      with:
+        toolchain: ${{ env.TOOLCHAIN }}
+        override: true
+
+    # https://github.com/actions/cache
+    - name: Cache tool binary
+      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+      with:
+        path: ${{ runner.tool_cache }}/${{ inputs.tool-name }}
+        key: ${{ inputs.tool-name }}-bin-${{ env.TOOL_VERSION }}
+
+    - name: Add tool to PATH
+      shell: bash
+      env:
+        TOOL_CACHE: ${{ runner.tool_cache }}
+      run: echo "$TOOL_CACHE/$TOOL_NAME/bin" >> "$GITHUB_PATH"
+
+    - name: Install tool
+      shell: bash
+      env:
+        TOOL_CACHE: ${{ runner.tool_cache }}
+      run: |
+        cargo install --locked \
+          --root "$TOOL_CACHE/$TOOL_NAME" \
+          --version "$TOOL_VERSION" \
+          "$TOOL_NAME"
@@ -9,6 +9,10 @@ inputs:
     description: Free disk space
     required: false
     default: "false"
+  build-type:
+    description: Type of build (pre-commit, test, release)
+    required: false
+    default: "release"
 
 runs:
   using: "composite"
@@ -20,20 +24,24 @@ runs:
       # https://github.com/jlumbroso/free-disk-space
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
-        tool-cache: true
+        tool-cache: ${{ inputs.build-type != 'pre-commit' }}
         android: true
         dotnet: true
-        haskell: true
-        large-packages: true
+        haskell: ${{ inputs.build-type != 'pre-commit' }}
+        large-packages: ${{ inputs.build-type != 'pre-commit' }}
         docker-images: true
-        swap-storage: true
+        swap-storage: ${{ inputs.build-type != 'pre-commit' }}
 
     - name: Free disk space (Windows)
       if: inputs.free-disk-space == 'true' && runner.os == 'Windows'
       shell: bash
+      env:
+        BUILD_TYPE: ${{ inputs.build-type }}
       run: |
         rm -rf "/c/Program Files/dotnet"
-        rm -rf "/c/Program Files (x86)/Microsoft Visual Studio/2019"
+        if [ "$BUILD_TYPE" != "pre-commit" ]; then
+          rm -rf "/c/Program Files (x86)/Microsoft Visual Studio/2019"
+        fi
 
     - name: Install runner dependencies
       if: runner.os == 'Linux'
@@ -42,19 +50,49 @@ runs:
         sudo apt-get update -o Acquire::Retries=5
         sudo apt-get install -y curl clang git make pkg-config ripgrep -o Acquire::Retries=5
         sudo apt-get install -y python3-dev libpython3-dev -o Acquire::Retries=5
-        sudo apt-get install -y capnproto libcapnp-dev -o Acquire::Retries=5
         sudo apt-get clean
         sudo rm -rf /var/lib/apt/lists/*
 
-    - name: Install capnproto (macOS)
+    - name: Install capnp and ripgrep (macOS)
       if: runner.os == 'macOS'
       shell: bash
       run: |
         brew update || { sleep 5; brew update; }
         brew install capnp ripgrep || { sleep 5; brew install capnp ripgrep; }
         brew cleanup
 
-    - name: Install capnproto (Windows)
+    - name: Set Cap'n Proto install prefix (Linux)
+      if: runner.os == 'Linux'
+      shell: bash
+      run: |
+        echo "CAPNP_PREFIX=$GITHUB_WORKSPACE/.cache/capnp" >> $GITHUB_ENV
+        echo "$GITHUB_WORKSPACE/.cache/capnp/bin" >> $GITHUB_PATH
+
+    - name: Get Linux version
+      if: runner.os == 'Linux'
+      id: linux-version
+      shell: bash
+      run: echo "release=$(lsb_release -rs)" >> "$GITHUB_OUTPUT"
+
+    - name: Get capnp version from capnp-version
+      shell: bash
+      run: |
+        echo "CAPNP_VERSION=$(cat capnp-version)" >> $GITHUB_ENV
+
+    - name: Cache Cap'n Proto (Linux)
+      if: runner.os == 'Linux'
+      id: cache-capnp
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+      with:
+        path: ${{ github.workspace }}/.cache/capnp
+        key: capnp-linux-${{ steps.linux-version.outputs.release }}-${{ env.CAPNP_VERSION }}-${{ runner.arch }}
+
+    - name: Install capnp
+      if: runner.os == 'Linux'
+      shell: bash
+      run: bash scripts/install-capnp.sh
+
+    - name: Install capnp (Windows)
       if: runner.os == 'Windows'
       shell: bash
       run: |
@@ -81,13 +119,14 @@ runs:
 
     # https://github.com/actions-rust-lang/setup-rust-toolchain
     - name: Set up Rust toolchain
-      uses: actions-rust-lang/setup-rust-toolchain@ac90e63697ac2784f4ecfe2964e1a285c304003a # v1.14.1
+      uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
       with:
         toolchain: ${{ env.TOOLCHAIN }}
         components: clippy,rustfmt
         override: true
 
     - name: Install cargo-nextest
+      if: inputs.build-type != 'pre-commit'
       # https://github.com/taiki-e/install-action # v2.53.2
       uses: taiki-e/install-action@d12e869b89167df346dd0ff65da342d1fb1202fb
       with:
@@ -96,6 +135,7 @@ runs:
     # > --------------------------------------------------
     # > sccache
     - name: Set sccache env vars (common)
+      if: inputs.build-type != 'pre-commit'
       shell: bash
       run: |
         echo "RUSTC_WRAPPER=sccache" >> $GITHUB_ENV
@@ -109,38 +149,26 @@ runs:
         echo "CARGO_INCREMENTAL=0" >> $GITHUB_ENV
 
     - name: Set sccache env vars (non-Windows)
-      if: runner.os != 'Windows'
+      if: runner.os != 'Windows' && inputs.build-type != 'pre-commit'
       shell: bash
       run: |
-        echo "SCCACHE_DIR=${{ github.workspace }}/.cache/sccache" >> $GITHUB_ENV
+        echo "SCCACHE_DIR=$GITHUB_WORKSPACE/.cache/sccache" >> $GITHUB_ENV
         echo "CC=sccache clang" >> $GITHUB_ENV
         echo "CXX=sccache clang++" >> $GITHUB_ENV
 
     - name: Set sccache env vars (Windows)
-      if: runner.os == 'Windows'
+      if: runner.os == 'Windows' && inputs.build-type != 'pre-commit'
       shell: bash
       run: |
         echo SCCACHE_DIR="C:\.cache\sccache" >> $GITHUB_ENV
         echo CMAKE_C_COMPILER_LAUNCHER=sccache >> $GITHUB_ENV
         echo CMAKE_CXX_COMPILER_LAUNCHER=sccache >> $GITHUB_ENV
 
-    - name: Cached sccache
-      id: cached-sccache
-      # https://github.com/actions/cache
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
-      with:
-        path: ${{ env.SCCACHE_DIR }}
-        key:
-          sccache-${{ runner.os }}-${{ github.workflow }}-${{ github.job }}-${{
-          hashFiles('**/Cargo.toml', '**/Cargo.lock', '**/uv.lock') }}
-        restore-keys: |
-          sccache-${{ runner.os }}-${{ github.workflow }}-${{ github.job }}-
-          sccache-${{ runner.os }}-${{ github.workflow }}-
-          sccache-${{ runner.os }}-
-
     - name: Run sccache
+      if: inputs.build-type != 'pre-commit'
       # https://github.com/Mozilla-Actions/sccache-action
       uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
+      continue-on-error: true # Build continues without cache if sccache setup fails
 
     # > --------------------------------------------------
     # > Python
@@ -160,10 +188,15 @@ runs:
       run: |
         echo "PYTHON_VERSION=$(bash scripts/python-version.sh)" >> $GITHUB_ENV
 
+    - name: Get pre-commit version
+      shell: bash
+      run: |
+        echo "PRE_COMMIT_VERSION=$(bash scripts/pre-commit-version.sh)" >> $GITHUB_ENV
+
     - name: Cache Python site-packages
       id: cached-site-packages
       # https://github.com/actions/cache
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: ~/.local/lib/python${{ inputs.python-version }}/site-packages
         key: ${{ runner.os }}-${{ inputs.python-version }}-site-packages
@@ -172,7 +205,7 @@ runs:
 
     - name: Install pre-commit
       shell: bash
-      run: pip install pre-commit==4.2.0
+      run: pip install pre-commit==${{ env.PRE_COMMIT_VERSION }}
 
     # > --------------------------------------------------
     # > UV
@@ -183,7 +216,7 @@ runs:
 
     - name: Install uv
       # https://github.com/astral-sh/setup-uv
-      uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
+      uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
       with:
         version: ${{ env.UV_VERSION }}
 
@@ -193,19 +226,25 @@ runs:
         echo "UV_CACHE_DIR=$(uv cache dir)" >> $GITHUB_ENV
 
     - name: Cached uv
+      # Skip on macOS: hashFiles() broken in composite actions after Nov 20 runner update
+      # See: https://github.com/actions/runner/issues/3765
+      if: runner.os != 'macOS'
       id: cached-uv
       # https://github.com/actions/cache
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: ${{ env.UV_CACHE_DIR }}
         key: ${{ runner.os }}-${{ env.PYTHON_VERSION }}-uv-${{ hashFiles('**/uv.lock') }}
 
     # > --------------------------------------------------
     # > pre-commit
     - name: Cached pre-commit
+      # Skip on macOS: hashFiles() broken in composite actions after Nov 20 runner update
+      # See: https://github.com/actions/runner/issues/3765
+      if: runner.os != 'macOS'
       id: cached-pre-commit
       # https://github.com/actions/cache
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: ~/.cache/pre-commit
         key: ${{ runner.os }}-${{ env.PYTHON_VERSION }}-pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}