v0.3.6: URL-escape path segments + remove tests/ from sdist

Security/correctness fixes from external review:

- URL-escape ticker/symbol path parameters (urllib.parse.quote with
  safe="") to handle inputs like BF/B, BRK.B, X%Y correctly. Previously
  these would produce malformed URLs.
- Remove /tests from sdist allowlist; ship only src/, README, LICENSE,
  pyproject. Hatchling still bundles .gitignore (built-in behaviour).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tdobrowolski1

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "flashalpha"
-version = "0.3.5"
+version = "0.3.6"
 description = "Python SDK for the FlashAlpha options analytics API — live options screener, gamma exposure (GEX), VRP, delta, vanna, charm, greeks, 0DTE analytics, volatility surfaces, and more."
 readme = "README.md"
 license = "MIT"
@@ -73,10 +73,11 @@ packages = ["src/flashalpha"]
 
 [tool.hatch.build.targets.sdist]
 # Explicit allowlist — only ship source, README, LICENSE, pyproject. Anything
-# else in the working dir (e.g. .claude/, CLAUDE.md, .env*, dist/) is excluded.
+# else in the working dir (e.g. .claude/, CLAUDE.md, .env*, dist/, tests/)
+# is excluded so the sdist stays minimal.
+support-legacy = false
 include = [
   "/src/flashalpha",
-  "/tests",
   "/README.md",
   "/LICENSE",
   "/pyproject.toml",
@@ -86,6 +87,8 @@ exclude = [
   "CLAUDE.md",
   ".env",
   ".env.*",
+  ".gitignore",
+  "**/.gitignore",
   ".vscode",
   ".idea",
   "*.local",

src/flashalpha/client.py

@@ -3,6 +3,7 @@
 from __future__ import annotations
 
 from typing import TYPE_CHECKING, Any
+from urllib.parse import quote
 
 import requests
 
@@ -21,6 +22,11 @@
 BASE_URL = "https://lab.flashalpha.com"
 
 
+def _seg(s: str) -> str:
+    """URL-escape a single path segment (e.g. a ticker) — escapes / ? % etc."""
+    return quote(s, safe="")
+
+
 class FlashAlpha:
     """Thin wrapper around the FlashAlpha REST API.
 
@@ -92,7 +98,7 @@ def _handle(self, resp: requests.Response) -> dict:
 
     def stock_quote(self, ticker: str) -> dict:
         """Live stock quote (bid/ask/mid/last)."""
-        return self._get(f"/stockquote/{ticker}")
+        return self._get(f"/stockquote/{_seg(ticker)}")
 
     def option_quote(
         self,
@@ -110,15 +116,15 @@ def option_quote(
             params["strike"] = strike
         if type:
             params["type"] = type
-        return self._get(f"/optionquote/{ticker}", params or None)
+        return self._get(f"/optionquote/{_seg(ticker)}", params or None)
 
     def surface(self, symbol: str) -> dict:
         """Volatility surface grid (public, no auth required)."""
-        return self._get(f"/v1/surface/{symbol}")
+        return self._get(f"/v1/surface/{_seg(symbol)}")
 
     def stock_summary(self, symbol: str) -> dict:
         """Comprehensive stock summary (price, vol, exposure, macro)."""
-        return self._get(f"/v1/stock/{symbol}/summary")
+        return self._get(f"/v1/stock/{_seg(symbol)}/summary")
 
     # ── Historical ──────────────────────────────────────────────────
 
@@ -127,7 +133,7 @@ def historical_stock_quote(self, ticker: str, *, date: str, time: str | None = N
         params: dict[str, Any] = {"date": date}
         if time:
             params["time"] = time
-        return self._get(f"/historical/stockquote/{ticker}", params)
+        return self._get(f"/historical/stockquote/{_seg(ticker)}", params)
 
     def historical_option_quote(
         self,
@@ -149,7 +155,7 @@ def historical_option_quote(
             params["strike"] = strike
         if type:
             params["type"] = type
-        return self._get(f"/historical/optionquote/{ticker}", params)
+        return self._get(f"/historical/optionquote/{_seg(ticker)}", params)
 
     # ── Exposure Analytics ──────────────────────────────────────────
 
@@ -160,40 +166,40 @@ def gex(self, symbol: str, *, expiration: str | None = None, min_oi: int | None
             params["expiration"] = expiration
         if min_oi is not None:
             params["min_oi"] = min_oi
-        return self._get(f"/v1/exposure/gex/{symbol}", params or None)
+        return self._get(f"/v1/exposure/gex/{_seg(symbol)}", params or None)
 
     def dex(self, symbol: str, *, expiration: str | None = None) -> dict:
         """Delta exposure by strike."""
         params: dict[str, Any] = {}
         if expiration:
             params["expiration"] = expiration
-        return self._get(f"/v1/exposure/dex/{symbol}", params or None)
+        return self._get(f"/v1/exposure/dex/{_seg(symbol)}", params or None)
 
     def vex(self, symbol: str, *, expiration: str | None = None) -> dict:
         """Vanna exposure by strike."""
         params: dict[str, Any] = {}
         if expiration:
             params["expiration"] = expiration
-        return self._get(f"/v1/exposure/vex/{symbol}", params or None)
+        return self._get(f"/v1/exposure/vex/{_seg(symbol)}", params or None)
 
     def chex(self, symbol: str, *, expiration: str | None = None) -> dict:
         """Charm exposure by strike."""
         params: dict[str, Any] = {}
         if expiration:
             params["expiration"] = expiration
-        return self._get(f"/v1/exposure/chex/{symbol}", params or None)
+        return self._get(f"/v1/exposure/chex/{_seg(symbol)}", params or None)
 
     def exposure_summary(self, symbol: str) -> dict:
         """Full exposure summary (GEX/DEX/VEX/CHEX + hedging). Requires Growth+."""
-        return self._get(f"/v1/exposure/summary/{symbol}")
+        return self._get(f"/v1/exposure/summary/{_seg(symbol)}")
 
     def exposure_levels(self, symbol: str) -> dict:
         """Key support/resistance levels from options exposure."""
-        return self._get(f"/v1/exposure/levels/{symbol}")
+        return self._get(f"/v1/exposure/levels/{_seg(symbol)}")
 
     def narrative(self, symbol: str) -> dict:
         """Verbal narrative analysis of exposure. Requires Growth+."""
-        return self._get(f"/v1/exposure/narrative/{symbol}")
+        return self._get(f"/v1/exposure/narrative/{_seg(symbol)}")
 
     def zero_dte(self, symbol: str, *, strike_range: float | None = None) -> "ZeroDteResponse":
         """Real-time 0DTE analytics: regime, expected move, pin risk, hedging, decay. Requires Growth+.
@@ -205,14 +211,14 @@ def zero_dte(self, symbol: str, *, strike_range: float | None = None) -> "ZeroDt
         params: dict[str, Any] = {}
         if strike_range is not None:
             params["strike_range"] = strike_range
-        return self._get(f"/v1/exposure/zero-dte/{symbol}", params or None)
+        return self._get(f"/v1/exposure/zero-dte/{_seg(symbol)}", params or None)
 
     def exposure_history(self, symbol: str, *, days: int | None = None) -> dict:
         """Daily exposure snapshots for trend analysis. Requires Growth+."""
         params: dict[str, Any] = {}
         if days is not None:
             params["days"] = days
-        return self._get(f"/v1/exposure/history/{symbol}", params or None)
+        return self._get(f"/v1/exposure/history/{_seg(symbol)}", params or None)
 
     # ── Pricing & Sizing ────────────────────────────────────────────
 
@@ -287,11 +293,11 @@ def kelly(
 
     def volatility(self, symbol: str) -> dict:
         """Comprehensive volatility analysis. Requires Growth+."""
-        return self._get(f"/v1/volatility/{symbol}")
+        return self._get(f"/v1/volatility/{_seg(symbol)}")
 
     def adv_volatility(self, symbol: str) -> dict:
         """Advanced volatility analytics: SVI parameters, variance surface, arbitrage detection, greeks surfaces, variance swap. Requires Alpha+."""
-        return self._get(f"/v1/adv_volatility/{symbol}")
+        return self._get(f"/v1/adv_volatility/{_seg(symbol)}")
 
     # ── Reference Data ──────────────────────────────────────────────
 
@@ -301,7 +307,7 @@ def tickers(self) -> dict:
 
     def options(self, ticker: str) -> dict:
         """Option chain metadata (expirations + strikes)."""
-        return self._get(f"/v1/options/{ticker}")
+        return self._get(f"/v1/options/{_seg(ticker)}")
 
     def symbols(self) -> dict:
         """Currently queried symbols with live data."""
@@ -332,7 +338,7 @@ def vrp(self, symbol: str) -> dict:
 
         Requires Alpha+.
         """
-        return self._get(f"/v1/vrp/{symbol}")
+        return self._get(f"/v1/vrp/{_seg(symbol)}")
 
     # ── Max Pain ────────────────────────────────────────────────────
 
@@ -351,7 +357,7 @@ def max_pain(self, symbol: str, *, expiration: str | None = None) -> dict:
         params: dict[str, Any] = {}
         if expiration:
             params["expiration"] = expiration
-        return self._get(f"/v1/maxpain/{symbol}", params or None)
+        return self._get(f"/v1/maxpain/{_seg(symbol)}", params or None)
 
     # ── Screener ────────────────────────────────────────────────────