feat: decode-able backtest fingerprint (strategy/input/engine/codegen provenance)

[luisleo526]

Summary

Attaches a reversible fingerprint to backtest output recording exactly what produced a run — so a result is self-describing and reproducible.

report["fingerprint"] = { token, digest, provenance }:

• token — base64 of the canonical (sorted-keys) provenance JSON. Reversible, no key: jq -r .fingerprint.token report.json | base64 -d | jq .
• digest — sha256: of the same canonical JSON; stable run id (same target + settings ⇒ same digest).
• provenance —
  • engine — version + git sha (read from the .so via the already-exported pf_version_get/pf_version_string)
  • codegen — package version + sha256(generated.cpp) + transpiled_from_pine
  • strategy — all strategy() params, effective (default ⊕ override), even with zero overrides
  • inputs — all input() values as {type, default, value}, effective
  • applied — the user-supplied deltas (inputs / overrides)
  • runtime — timeframe / bar-magnifier knobs

The full effective param set is sourced by parsing the codegen-emitted generated.cpp (the one artifact present in every run mode and already hashed): strategy() defaults from the constructor body plus a canonical engine-default seed for the two base-class-defaulted fields; input()s from get_input_* calls.

Changes

• docker/run_json.py — fingerprint helpers, ctypes version reader, --generated-cpp/--transpiled args, inject report["fingerprint"] (crash-proofed).
• scripts/run_strategy.py — same helpers (byte-identical block) + opt-in --fingerprint-json PATH sidecar (default off → corpus parity untouched).
• docker/entrypoint.sh — passes the compiled cpp path + transpile flag.
• docker/Dockerfile — pip install -U (force-latest codegen; fingerprint records what actually ran).
• docker/README.md — documents the field.
• scripts/fingerprint_self_test.py — pins both helper copies to identical behavior.

No C++ changes (pf_version_* already exported; the C-ABI runtime check is unaffected).

Design notes

• "Decryptable" = reversible base64 encoding, not encryption (chosen requirement).
• The helper block is duplicated byte-identically across docker/run_json.py and scripts/run_strategy.py because scripts/ is .dockerignored (no shared runtime module); the self-test enforces they never drift. Matches the existing duplicated ctypes ABI mirror across the same two files.

Test Plan

• python3 scripts/fingerprint_self_test.py → 52/52
• Parser on real corpus generated.cpp → strategy=9 fields, inputs typed correctly; 257 files scanned, 0 malformed string defaults (after std::string() unwrap fix)
• ctest --test-dir build → 72/72
• ./scripts/run_corpus.sh → 246 strategies, excellent=245 / anomaly=1 (baseline, no regression)
• python3 scripts/check_c_abi_runtime.py → exit 0
• docker build + docker run real .pine → token round-trips, overrides applied, transpiled_from_pine:true, -U pulled codegen 0.7.0
• Re-run container against the post-fix image (fix is python-only, COPY'd at build, proven via direct corpus parse; release.yml rebuilds the image)

🤖 Generated with Claude Code