From 255bb070a36feae861ab95ecf1933691a6a8a714 Mon Sep 17 00:00:00 2001
From: Saravana Achu Mac <saravanakumardb1@gmail.com>
Date: Mon, 4 May 2026 06:25:31 -0700
Subject: [PATCH] chore(audit-E2): stop stray subpackage lockfiles from coming
 back
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Partial fix for the lockfile drift caught in the audit. The previous
session ran `npm install` inside web/ as a workaround for a Vite vendor-
resolution issue, which left three lockfiles in the wrong places:
  - web/package-lock.json  (npm artifact in a pnpm monorepo)
  - web/pnpm-lock.yaml     (per-package pnpm lockfile, also wrong)
  - backend/pnpm-lock.yaml (same issue)

This commit:
  - Deletes those three files from the working tree.
  - Adds .gitignore entries so they can't be re-committed by accident.
  - Also gitignores .claude/ (Claude Code session metadata).

What's still missing: the root pnpm-lock.yaml needs `react-router-dom`,
`@monaco-editor/react`, `@dnd-kit/{core,sortable,utilities}` added to
its resolution graph. That requires `pnpm install -r --no-frozen-lockfile`
from the repo root on a workstation with GITEA_NPM_TOKEN exported (the
mobile workspace pulls @bytelyst/* private packages from the org's
private registry; this session has no token so the install errors out
on the mobile resolve). It's a one-line follow-up — tracked in
AUDIT_REDESIGN.md item E2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitignore             | 13 +++++++++++++
 docs/AUDIT_REDESIGN.md |  4 ++--
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.gitignore b/.gitignore
index c66b123..ff78163 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,16 @@ web-build
 .env.local
 .env.*.local
 backend/bot_state.json
+
+# Lockfile hygiene: this is a pnpm workspace — only the root pnpm-lock.yaml
+# is committed. npm-style or per-package pnpm lockfiles inside subpackages
+# get out of sync with the root and break CI.
+backend/pnpm-lock.yaml
+backend/package-lock.json
+web/pnpm-lock.yaml
+web/package-lock.json
+mobile/pnpm-lock.yaml
+mobile/package-lock.json
+
+# Claude Code session metadata
+.claude/
diff --git a/docs/AUDIT_REDESIGN.md b/docs/AUDIT_REDESIGN.md
index 5c2c405..2ba41a3 100644
--- a/docs/AUDIT_REDESIGN.md
+++ b/docs/AUDIT_REDESIGN.md
@@ -20,7 +20,7 @@ Status: ⬜ open · 🟦 in PR · ✅ fixed (commit hash on the right).
 | A3  | `VisualRuleBuilder` save → `/api/profiles` body uses `{strategyType, visualRules, description}`. `saveTradeProfileForUser` expects `strategy_config` shape. Result: 400 or silently-discarded fields. | 🔴       | ✅     | bucket A   |
 | A4  | `RightPanel.NewsFeed` calls `fetch()` with no `Authorization` header. `/api/news` is `requireAuth`. Result: 401 every render.            | 🔴       | ✅     | bucket A   |
 | A5  | `RightPanel.NewsFeed` reads `import.meta.env.VITE_TRADING_API_URL` directly instead of `tradingRuntime.tradingApiUrl`. Breaks in prod where the runtime resolver is the source of truth. | 🟠       | ✅     | bucket A   |
-| A6  | Backend `/api/chart/bars` previously crashed on crypto symbols (`BTC/USD`) because `/v2/stocks` rejects them. (Already partially fixed in 938ed86 — verify the encode path doesn't double-encode `/`.) | 🟠       | ⬜     |            |
+| A6  | Backend `/api/chart/bars` previously crashed on crypto symbols (`BTC/USD`) because `/v2/stocks` rejects them. Verified in 938ed86: `encodeURIComponent('BTC/USD')` → `BTC%2FUSD` (correct for query string), and the response lookup `cryptoBars[symbol]` uses the un-encoded key (matches Alpaca's response). | 🟠       | ✅     | 938ed86    |
 
 ## B. Functional gaps (feature exists in plan but not implemented)
 
@@ -68,7 +68,7 @@ Status: ⬜ open · 🟦 in PR · ✅ fixed (commit hash on the right).
 | #   | Issue                                                                                                                              | Severity | Status | Fix commit |
 | --- | ---------------------------------------------------------------------------------------------------------------------------------- | :------: | :----: | ---------- |
 | E1  | Bundle is 1.08 MB (309 kB gzipped) — Monaco is the bulk. Lazy-load Monaco via `React.lazy`.                                         | 🟠       | ⬜     |            |
-| E2  | Root `pnpm-lock.yaml` doesn't contain `react-router-dom`, `@monaco-editor/react`, `@dnd-kit/*` (they were installed via `npm` in `web/` causing `web/package-lock.json` and `web/pnpm-lock.yaml` to appear). Workspace builds in CI will fail. | 🔴       | ⬜     |            |
+| E2  | Root `pnpm-lock.yaml` doesn't contain `react-router-dom`, `@monaco-editor/react`, `@dnd-kit/*` (they were installed via `npm` in `web/` causing `web/package-lock.json` and `web/pnpm-lock.yaml` to appear). Workspace builds in CI will fail. **Partial fix**: stray subpackage lockfiles deleted + `.gitignore` updated to prevent recurrence. **Still TODO**: run `pnpm install -r --no-frozen-lockfile` from the repo root on a workstation that has `GITEA_NPM_TOKEN` exported (this session can't reach the private registry → mobile install fails). One-line follow-up commit. | 🔴       | 🟦     | bucket E2-partial |
 | E3  | Monaco's web workers (TS/JSON/CSS/HTML) are pulled at runtime from a CDN by default. Need explicit Vite config to bundle workers locally for offline / CSP-strict deployments. | 🟡       | ⬜     |            |
 | E4  | No README / docs section describing the new layout, env vars (`FMP_API_KEY`), or routes.                                            | 🟡       | ⬜     |            |