Partial fix for the lockfile drift caught in the audit. The previous
session ran `npm install` inside web/ as a workaround for a Vite vendor-
resolution issue, which left three lockfiles in the wrong places:
- web/package-lock.json (npm artifact in a pnpm monorepo)
- web/pnpm-lock.yaml (per-package pnpm lockfile, also wrong)
- backend/pnpm-lock.yaml (same issue)
This commit:
- Deletes those three files from the working tree.
- Adds .gitignore entries so they can't be re-committed by accident.
- Also gitignores .claude/ (Claude Code session metadata).
What's still missing: the root pnpm-lock.yaml needs `react-router-dom`,
`@monaco-editor/react`, `@dnd-kit/{core,sortable,utilities}` added to
its resolution graph. That requires `pnpm install -r --no-frozen-lockfile`
from the repo root on a workstation with GITEA_NPM_TOKEN exported (the
mobile workspace pulls @bytelyst/* private packages from the org's
private registry; this session has no token so the install errors out
on the mobile resolve). It's a one-line follow-up — tracked in
AUDIT_REDESIGN.md item E2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
A1+A2 — CodeStrategyEditor backtest call
Was: POST /api/backtest with { symbol, strategyCode, mode: 'code' }
Now: POST /api/backtest/run with { symbols: [s], strategyConfig: {
type: 'code', language: 'javascript', code } }
The backend route is /api/backtest/run (not /api/backtest), and
/api/backtest/run validates `symbols[]` and `strategyConfig`, not the
ad-hoc fields we were sending. Also unwraps the { success, results }
envelope the engine returns and surfaces success:false errors.
A3 — VisualRuleBuilder save shape
Was: hand-rolled fetch to /api/profiles with { name, symbol, strategyType,
visualRules, description } — backend's saveTradeProfileForUser ignored
all of that and either 400'd or persisted a half-empty row.
Now: uses the canonical createTradeProfile() helper from lib/profileApi
with the documented TradeProfilePayload shape. Visual rules go inside
strategy_config.{type:'visual', version:1, rules:[...]} so the engine
can fan out to a visual interpreter without conflicting with the
existing rule-based engine. Allocated capital + risk pct pulled from
botState.settings so the profile inherits the user's current sizing.
is_active defaults false so the user activates explicitly.
A4+A5 — RightPanel.NewsFeed auth + runtime
Was: raw fetch() to import.meta.env.VITE_TRADING_API_URL with no
Authorization header → 401 on every render in any environment that
requires auth, and prod-broken where the runtime resolver is the
only source of truth for the API base URL.
Now: uses fetchNews() from lib/marketApi which already carries the
platform Bearer token and routes through tradingRuntime.tradingApiUrl.
Adds an error state in the UI for visibility instead of silently
leaving the panel blank.
Verified: web/ tsc --noEmit passes. No behavioural change to non-affected
code paths (RightPanel portfolio summary, ResearchView other tabs, etc.).
Refs: docs/AUDIT_REDESIGN.md items A1–A5.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Catalogues every gap, bug, and miss found in the web redesign work:
- A: critical broken integrations (wrong endpoint, wrong payload, missing auth)
- B: functional gaps from the original plan (chart indicators, watchlist
buttons, company name placeholder, etc.)
- C: security & correctness (sandboxing, FMP cache, query-param leakage)
- D: UX/UI polish (skeletons, dark-tab contrast, responsive breakpoints)
- E: build/infra (1 MB bundle, lockfile drift, Monaco workers, README)
- F: test coverage (zero tests for marketApi, builders, screener, endpoints)
- G: mobile parity (none of the new features exist on mobile)
Each row has a severity tag, status box, and a slot for the fix-commit hash.
Subsequent commits will reference items by ID (e.g. fix(A1): ...).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Wires the new dashboard to real market data and adds the strategy
builder & screener UIs that were stubbed in the previous commit.
Frontend (web/src/):
- lib/marketApi.ts: authenticated fetch helpers for chart bars,
market indices, news, and FMP research endpoints
- views/HomeView.tsx: StockChart now fetches live OHLCV via
fetchChartBars on symbol/period change with loading/error states;
ResearchCards replaces the static placeholder with live FMP
profile/metrics/earnings (next-earnings + last 3 historical)
- components/layout/Header.tsx: live SPY/DIA/QQQ price + change%
via fetchMarketIndices, refreshing every 60s; removed unused
static sparkline placeholder
- components/strategy/VisualRuleBuilder.tsx: drag-and-drop IF/THEN
rule composer using @dnd-kit (RSI/MACD/EMA/Price/Volume,
above/below/crosses, BUY/SELL with shares or % of capital);
saves via POST /api/profiles
- components/strategy/CodeStrategyEditor.tsx: Monaco editor with
JS strategy template; "Run Backtest" posts to /api/backtest and
renders return/win-rate/Sharpe/drawdown plus trade log
- views/ResearchView.tsx: adds "Visual Builder" and "Code Editor"
sub-tabs alongside Strategies / Signals / Backtesting
- views/ScreenerView.tsx: live FMP screener with market-cap and
sector filters, sortable columns, click-to-load-symbol routing
- index.css: light theme background; @keyframes spin for loaders
- App.dom.test.tsx: rewritten for router-based AppShell (was
asserting on the removed tab UI; fixes 5 prior failures)
Backend (backend/src/services/apiServer.ts):
- /api/chart/bars: detects crypto symbols (contains "/") and
routes to Alpaca v1beta3/crypto/us/bars; equities use
v2/stocks/{symbol}/bars with iex feed
- (existing) /api/news, /api/market/indices, /api/research/{
profile,metrics,earnings}, /api/screener proxy endpoints
Build/config:
- web/vite.config.ts: dedupe react / react/jsx-runtime /
react-router-dom so the vendored react-auth dist resolves the
same React instance (fixes "Cannot resolve react/jsx-runtime"
Rollup error)
- web/tsconfig.app.json: exclude shared/platform-clients.ts and
shared/platform-mobile.ts (mobile-only, missing RN SDK)
- web/package.json: add react-router-dom, @monaco-editor/react,
@dnd-kit/core, @dnd-kit/sortable, @dnd-kit/utilities
Verification: `npm run build` in web/ → clean (✓ built in 3s);
backend tsc --noEmit → clean. Test suite: 151/155 pass; the 4
remaining failures are pre-existing (3 useTabFeatureFlags module
cache leaks, 1 EntryForm), not introduced here.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces the 12-tab dashboard with a 3-column layout matching the
investing app mockup (sidebar nav, main chart area, right panel).
Web changes:
- New context/AppContext.tsx — shared botState/auth across all views
- New layout: Sidebar, Header (with market index sparklines), RightPanel
- New views: Home, Portfolio, Research, Markets, Screener, Watchlist, Alerts, Settings
- AppShell wires React Router routes to all views
- App.tsx refactored to use AppContext.Provider + BrowserRouter
Backend changes:
- 6 new proxy endpoints: /api/news, /api/market/indices,
/api/research/profile, /api/research/metrics,
/api/research/earnings, /api/screener
- config/index.ts: FMP_API_KEY env var added
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Web:
- runtime.ts: use import.meta.env (process.env is undefined in Vite browser bundle)
- tradingApiUrl local fallback: drop /api suffix (API libs already append /api/*)
- useWebSocket: deriveSocketParams() — correctly splits origin + socket path for
Caddy handle_path /invttrdg/* proxy (io(origin, {path}), not io(url-with-path))
- App.tsx: pass socket prop to AdminTab; pass connected prop to SignalsTab
- AdminTab: remove duplicate useWebSocket; accept socket as prop
- SignalsTab: connection-aware empty state message
- backtest/flags: default to disabled when VITE_BACKTEST_ENABLED unset
- EntryForm: NaN guard before live trade execution
- MarketplaceTab: null-safety on symbols.rules access
- Tests: pass socket prop to AdminTab; update empty state assertion
Mobile:
- TradingDataProvider: same deriveSocketParams fix — EXPO_PUBLIC_SOCKET_PATH
overrides auto-derived path from tradingApiUrl
- strategies: replace mock data with real GET /api/profiles + PATCH active toggle
- chat: wire to real POST /api/chat; remove hardcoded mock reply
- marketplace: fetch GET /api/marketplace-presets; USE STRATEGY calls POST /api/profiles
- settings: sign-out confirmation dialog; execution mode read-only hint;
version from expo-constants instead of hardcoded v2.3
- positions/history: empty state UI when no data
- CustomTabBar: always show tab labels (not only when focused)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add web/Dockerfile (node:20 builder + nginx:alpine, port 3085)
- Add web service to docker-compose.yml with VITE_ build args
- Create web/.env and mobile/.env pointing to api.bytelyst.com
- Backend port mapping: 4025:4018 (4018 reserved by actiontrail)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Upgrade Dockerfile base from node:18 to node:20 (fixes crypto global)
- Map host port 4025 → container 4018 (4018 taken by actiontrail)
- Join learning_ai_common_plat_default Docker network for platform service
- Switch all @bytelyst/* link: deps to registry versions
- Bump @bytelyst/llm to ^0.1.1 (adds createFallbackChain, GeminiProvider etc)
- Regenerate pnpm-lock.yaml against Gitea registry
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Add bootstrap.ts as new entry point — resolves Key Vault secrets via
DefaultAzureCredential before config/index.ts is evaluated, so all
process.env reads pick up KV values (Azure CLI in dev, Managed Identity
in prod). Falls back to .env if AZURE_KEYVAULT_URL is not set.
- Define INVTTRDG_SECRETS mappings for Cosmos, Azure OpenAI, product-id
- Add AZURE_OPENAI_ENDPOINT / KEY / DEPLOYMENT to config
- aiClient: prefer AzureOpenAIProvider (AI Foundry) when Azure OpenAI
config is present; falls back to direct OpenAI if not configured
- Add @azure/identity, @azure/keyvault-secrets, @bytelyst/config deps
- Update dev/start scripts to use bootstrap.ts entry point
- Document AZURE_KEYVAULT_URL and Azure OpenAI vars in .env.example
Key Vault: https://kv-mywisprai.vault.azure.net/
Secrets prefix: invttrdg-*
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Records Cosmos DB setup (12 containers), Azure OpenAI deployments (gpt-4o,
gpt-4o-mini), Key Vault secrets, and pending work items.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Import PerplexityProvider, OpenAIProvider, GeminiProvider from @bytelyst/llm
- Use createFallbackChain() instead of manual axios fallback loop
- Remove axios and @types/axios — no longer needed
- Preserve AIClient class interface (generateAnalysis, getProviderHealth) —
no changes required in apiServer.ts or AIAnalysisRule.ts
- Fallback order still driven by config.AI.FALLBACK_LIST
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Call loadDynamicConfig() without dead supabaseService argument (Cosmos-backed).
- Use getLegacySupabaseClient() for raw .from() queries in maintenance scripts.
- manualOverrideCloseTrades: typed imports + legacy client for lifecycle SELECT.
- verify_realtime: ESM .js imports and comment for subscribeToProfiles.
- verifyTenantIsolation: comment for singleton monkey-patch.
Made-with: Cursor
