docs(C1): mark code strategy refusal complete

Record the implementation commit that refuses unsafe code strategy backtests before execution. Refs: docs/AUDIT_REDESIGN.md item C1. Co-Authored-By: GPT-5 Codex <noreply@openai.com>
2026-05-04 16:31:14 -07:00 · 2026-05-04 16:31:14 -07:00 · d80734288e
commit d80734288e
parent 6aa001a530
1 changed files with 1 additions and 1 deletions
--- a/docs/AUDIT_REDESIGN.md
+++ b/docs/AUDIT_REDESIGN.md
@ -41,7 +41,7 @@ Status: ⬜ open · 🟦 in PR · ✅ fixed (commit hash on the right).

 | #   | Issue                                                                                                                              | Severity | Status | Fix commit |
 | --- | ---------------------------------------------------------------------------------------------------------------------------------- | :------: | :----: | ---------- |
-| C1  | Backend posts arbitrary user JS (`strategyCode`) to `/api/backtest` if A1+A2 are "fixed" naively. Must sandbox or refuse.            | 🔴       | ⬜     |            |
+| C1  | Backend posts arbitrary user JS (`strategyCode`) to `/api/backtest` if A1+A2 are "fixed" naively. Must sandbox or refuse.            | 🔴       | ✅     | 6aa001a    |
 | C2  | No FMP response cache. Free tier = 250 req/day. Every Home view load = 3 req. 80 page loads/day → quota burnt by lunch.            | 🟠       | ✅     | 0828007    |
 | C3  | `/api/screener` passes `sector` query through to FMP without an allow-list. Low-impact injection, but should validate.              | 🟡       | ⬜     |            |
 | C4  | `/api/news` passes `symbols` through to Alpaca without validation.                                                                  | 🟡       | ⬜     |            |