chore(audit-E2): stop stray subpackage lockfiles from coming back

Partial fix for the lockfile drift caught in the audit. The previous session ran `npm install` inside web/ as a workaround for a Vite vendor- resolution issue, which left three lockfiles in the wrong places: - web/package-lock.json (npm artifact in a pnpm monorepo) - web/pnpm-lock.yaml (per-package pnpm lockfile, also wrong) - backend/pnpm-lock.yaml (same issue) This commit: - Deletes those three files from the working tree. - Adds .gitignore entries so they can't be re-committed by accident. - Also gitignores .claude/ (Claude Code session metadata). What's still missing: the root pnpm-lock.yaml needs `react-router-dom`, `@monaco-editor/react`, `@dnd-kit/{core,sortable,utilities}` added to its resolution graph. That requires `pnpm install -r --no-frozen-lockfile` from the repo root on a workstation with GITEA_NPM_TOKEN exported (the mobile workspace pulls @bytelyst/* private packages from the org's private registry; this session has no token so the install errors out on the mobile resolve). It's a one-line follow-up — tracked in AUDIT_REDESIGN.md item E2. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-04 06:25:31 -07:00 · 2026-05-04 06:25:31 -07:00 · 255bb070a3
commit 255bb070a3
parent ddbffb6cd1
2 changed files with 15 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -16,3 +16,16 @@ web-build
 .env.local
 .env.*.local
 backend/bot_state.json
+
+# Lockfile hygiene: this is a pnpm workspace — only the root pnpm-lock.yaml
+# is committed. npm-style or per-package pnpm lockfiles inside subpackages
+# get out of sync with the root and break CI.
+backend/pnpm-lock.yaml
+backend/package-lock.json
+web/pnpm-lock.yaml
+web/package-lock.json
+mobile/pnpm-lock.yaml
+mobile/package-lock.json
+
+# Claude Code session metadata
+.claude/
--- a/docs/AUDIT_REDESIGN.md
+++ b/docs/AUDIT_REDESIGN.md
@ -20,7 +20,7 @@ Status: ⬜ open · 🟦 in PR · ✅ fixed (commit hash on the right).
 | A3  | `VisualRuleBuilder` save → `/api/profiles` body uses `{strategyType, visualRules, description}`. `saveTradeProfileForUser` expects `strategy_config` shape. Result: 400 or silently-discarded fields. | 🔴       | ✅     | bucket A   |
 | A4  | `RightPanel.NewsFeed` calls `fetch()` with no `Authorization` header. `/api/news` is `requireAuth`. Result: 401 every render.            | 🔴       | ✅     | bucket A   |
 | A5  | `RightPanel.NewsFeed` reads `import.meta.env.VITE_TRADING_API_URL` directly instead of `tradingRuntime.tradingApiUrl`. Breaks in prod where the runtime resolver is the source of truth. | 🟠       | ✅     | bucket A   |
-| A6  | Backend `/api/chart/bars` previously crashed on crypto symbols (`BTC/USD`) because `/v2/stocks` rejects them. (Already partially fixed in 938ed86 — verify the encode path doesn't double-encode `/`.) | 🟠       | ⬜     |            |
+| A6  | Backend `/api/chart/bars` previously crashed on crypto symbols (`BTC/USD`) because `/v2/stocks` rejects them. Verified in 938ed86: `encodeURIComponent('BTC/USD')` → `BTC%2FUSD` (correct for query string), and the response lookup `cryptoBars[symbol]` uses the un-encoded key (matches Alpaca's response). | 🟠       | ✅     | 938ed86    |

 ## B. Functional gaps (feature exists in plan but not implemented)

@ -68,7 +68,7 @@ Status: ⬜ open · 🟦 in PR · ✅ fixed (commit hash on the right).
 | #   | Issue                                                                                                                              | Severity | Status | Fix commit |
 | --- | ---------------------------------------------------------------------------------------------------------------------------------- | :------: | :----: | ---------- |
 | E1  | Bundle is 1.08 MB (309 kB gzipped) — Monaco is the bulk. Lazy-load Monaco via `React.lazy`.                                         | 🟠       | ⬜     |            |
-| E2  | Root `pnpm-lock.yaml` doesn't contain `react-router-dom`, `@monaco-editor/react`, `@dnd-kit/*` (they were installed via `npm` in `web/` causing `web/package-lock.json` and `web/pnpm-lock.yaml` to appear). Workspace builds in CI will fail. | 🔴       | ⬜     |            |
+| E2  | Root `pnpm-lock.yaml` doesn't contain `react-router-dom`, `@monaco-editor/react`, `@dnd-kit/*` (they were installed via `npm` in `web/` causing `web/package-lock.json` and `web/pnpm-lock.yaml` to appear). Workspace builds in CI will fail. **Partial fix**: stray subpackage lockfiles deleted + `.gitignore` updated to prevent recurrence. **Still TODO**: run `pnpm install -r --no-frozen-lockfile` from the repo root on a workstation that has `GITEA_NPM_TOKEN` exported (this session can't reach the private registry → mobile install fails). One-line follow-up commit. | 🔴       | 🟦     | bucket E2-partial |
 | E3  | Monaco's web workers (TS/JSON/CSS/HTML) are pulled at runtime from a CDN by default. Need explicit Vite config to bundle workers locally for offline / CSP-strict deployments. | 🟡       | ⬜     |            |
 | E4  | No README / docs section describing the new layout, env vars (`FMP_API_KEY`), or routes.                                            | 🟡       | ⬜     |            |