feat: add model and data source settings UI

[GTC2080]

Summary

• Add a Settings page for configuring LLM provider, model, endpoint, API key, generation limits, and reasoning effort.
• Add data source settings for Tushare token management and BaoStock availability/status display.
• Add backend settings endpoints, Tushare placeholder-token handling, and API regression tests.

Why

Users currently need to edit agent/.env manually to switch LLM models or configure market data credentials. This PR exposes those common local settings in the Web UI while keeping secrets masked in API responses.

No local runtime-directory migration is included in this PR.

Changes

• Added GET/PUT /settings/llm for project-local LLM settings persisted to agent/.env.
• Added GET/PUT /settings/data-sources for Tushare token settings and BaoStock status reporting.
• Added a frontend /settings route and sidebar entry.
• Added provider defaults for common OpenAI-compatible providers and Ollama.
• Added max as an allowed reasoning-effort option.
• Treat your-tushare-token as an unconfigured Tushare placeholder.
• Added agent/tests/test_settings_api.py coverage for secret masking, env persistence, and placeholder handling.

Test Plan

• Existing tests pass (pytest --ignore=agent/tests/e2e_backtest --tb=short -q)
• New tests added (if applicable)
• Tested manually (describe below)

Manual/targeted checks run on Windows:

• python -S -m py_compile agent\api_server.py agent\backtest\loaders\tushare.py agent\tests\test_settings_api.py
• E:\测试\vibe_trading\.venv\Scripts\python.exe -m pytest agent\tests\test_settings_api.py -q -> 4 passed
• npm ci --cache E:\测试\vibe_trading_pr_settings\.npm-cache
• npm run build -> passed, with the existing Vite large-chunk warning
• Full pytest --ignore=agent/tests/e2e_backtest --tb=short -q on Windows reached 669 passed, 1 skipped, with 3 existing Windows path assertion failures in agent/tests/test_loop_helpers.py::TestNormalizeToolRunDir where /tmp/... is normalized to E:\tmp\....

Checklist

• No changes to protected areas (src/agent/, src/session/, src/providers/) without prior discussion
• No hardcoded values (API keys, file paths, magic numbers)
• Code follows CONTRIBUTING.md guidelines
• Documentation updated (if user-facing change)

Related issue

Closes #58

[warren618]

Thanks for the PR. The feature direction is useful and aligned with making local Web UI setup easier, but I do not think we should merge it as-is because these endpoints can modify agent/.env, credentials, and the running API process.

Requested changes:

• Make GET /settings/* side-effect free. It currently calls _ensure_agent_env_file() and can create agent/.env from .env.example just by reading settings.
• Treat documented placeholder LLM keys from .env.example as unconfigured, similar to the new Tushare placeholder handling. Examples include sk-or-v1-your-key-here, sk-xxx, xxx, and gsk_xxx.
• Avoid exposing absolute env_path from unauthenticated settings reads. Prefer removing it or returning a project-relative path only.
• Harden settings writes. These endpoints modify credentials/runtime env, while the server defaults to 0.0.0.0 and API_AUTH_KEY may be unset in dev mode. Settings writes should be local-only or otherwise protected even when no API key is configured.
• Move provider default metadata out of agent/api_server.py into a JSON/YAML config so provider additions remain data-driven.
• Add user-facing docs for the Settings page and rerun verification: targeted settings API tests, frontend build, and one real agent/backtest smoke or E2E check.

Please keep the PR open. I think this is worth merging after the above changes.

[GTC2080]

Thanks for the detailed review. I pushed an update in b300c45 addressing the requested changes:

• GET /settings/llm and GET /settings/data-sources are now side-effect free. They read agent/.env when present, otherwise use .env.example only as display defaults, and no longer create agent/.env on reads.
• Documented LLM placeholder keys (sk-or-v1-your-key-here, sk-xxx, xxx, gsk_xxx) are treated as unconfigured and are not returned as masked hints.
• Settings responses now return a project-relative env_path instead of an absolute filesystem path.
• PUT /settings/* is hardened: when API_AUTH_KEY is configured it requires the bearer token; when dev auth is unset it accepts writes only from loopback clients.
• LLM provider metadata has moved from agent/api_server.py to agent/src/providers/llm_providers.json, with package data configured in pyproject.toml.
• README docs now describe the Settings page behavior, endpoint list, path behavior, and write-auth expectations.

Verification rerun:

• python -m pytest agent/tests/test_settings_api.py -q -> 8 passed
• python -m pytest agent/tests/test_swarm_presets_packaging.py agent/tests/test_engine_robustness.py::TestFullBacktestRobustness::test_backtest_with_suspension_gap -q -> 7 passed
• cd frontend && npm run build -> passed
• Real backtest smoke: python backtest/runner.py <run_dir> with source=yfinance, codes=["AAPL.US"] -> completed successfully and produced metrics/artifacts

[warren618]

Thanks for the update and for pushing this feature forward 🙂

I re-checked the latest PR head. The earlier blockers have now been addressed, including the settings read/write safety boundary and the Vite dev proxy path for the Settings page.

Maintainer follow-up commits added:

• a3a7d4c guards settings reads behind local/auth, so masked credential hints are no longer exposed to remote unauthenticated clients.
• 33b7b45 proxies /settings/llm and /settings/data-sources correctly in Vite dev mode without breaking the /settings frontend route.

Verified with:

• pytest agent/tests/test_settings_api.py -q
• python -m py_compile agent/api_server.py
• import api_server
• npm run build
• Real local E2E against http://127.0.0.1:5899/settings with the API running on 127.0.0.1:8899

The agent/src/providers/llm_providers.json location is okay from maintainer side because it is provider metadata and keeps the provider list data-driven.

Approved. Thanks again 🙌