Partial fix for the lockfile drift caught in the audit. The previous
session ran `npm install` inside web/ as a workaround for a Vite vendor-
resolution issue, which left three lockfiles in the wrong places:
- web/package-lock.json (npm artifact in a pnpm monorepo)
- web/pnpm-lock.yaml (per-package pnpm lockfile, also wrong)
- backend/pnpm-lock.yaml (same issue)
This commit:
- Deletes those three files from the working tree.
- Adds .gitignore entries so they can't be re-committed by accident.
- Also gitignores .claude/ (Claude Code session metadata).
What's still missing: the root pnpm-lock.yaml needs `react-router-dom`,
`@monaco-editor/react`, `@dnd-kit/{core,sortable,utilities}` added to
its resolution graph. That requires `pnpm install -r --no-frozen-lockfile`
from the repo root on a workstation with GITEA_NPM_TOKEN exported (the
mobile workspace pulls @bytelyst/* private packages from the org's
private registry; this session has no token so the install errors out
on the mobile resolve). It's a one-line follow-up — tracked in
AUDIT_REDESIGN.md item E2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
A1+A2 — CodeStrategyEditor backtest call
Was: POST /api/backtest with { symbol, strategyCode, mode: 'code' }
Now: POST /api/backtest/run with { symbols: [s], strategyConfig: {
type: 'code', language: 'javascript', code } }
The backend route is /api/backtest/run (not /api/backtest), and
/api/backtest/run validates `symbols[]` and `strategyConfig`, not the
ad-hoc fields we were sending. Also unwraps the { success, results }
envelope the engine returns and surfaces success:false errors.
A3 — VisualRuleBuilder save shape
Was: hand-rolled fetch to /api/profiles with { name, symbol, strategyType,
visualRules, description } — backend's saveTradeProfileForUser ignored
all of that and either 400'd or persisted a half-empty row.
Now: uses the canonical createTradeProfile() helper from lib/profileApi
with the documented TradeProfilePayload shape. Visual rules go inside
strategy_config.{type:'visual', version:1, rules:[...]} so the engine
can fan out to a visual interpreter without conflicting with the
existing rule-based engine. Allocated capital + risk pct pulled from
botState.settings so the profile inherits the user's current sizing.
is_active defaults false so the user activates explicitly.
A4+A5 — RightPanel.NewsFeed auth + runtime
Was: raw fetch() to import.meta.env.VITE_TRADING_API_URL with no
Authorization header → 401 on every render in any environment that
requires auth, and prod-broken where the runtime resolver is the
only source of truth for the API base URL.
Now: uses fetchNews() from lib/marketApi which already carries the
platform Bearer token and routes through tradingRuntime.tradingApiUrl.
Adds an error state in the UI for visibility instead of silently
leaving the panel blank.
Verified: web/ tsc --noEmit passes. No behavioural change to non-affected
code paths (RightPanel portfolio summary, ResearchView other tabs, etc.).
Refs: docs/AUDIT_REDESIGN.md items A1–A5.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Catalogues every gap, bug, and miss found in the web redesign work:
- A: critical broken integrations (wrong endpoint, wrong payload, missing auth)
- B: functional gaps from the original plan (chart indicators, watchlist
buttons, company name placeholder, etc.)
- C: security & correctness (sandboxing, FMP cache, query-param leakage)
- D: UX/UI polish (skeletons, dark-tab contrast, responsive breakpoints)
- E: build/infra (1 MB bundle, lockfile drift, Monaco workers, README)
- F: test coverage (zero tests for marketApi, builders, screener, endpoints)
- G: mobile parity (none of the new features exist on mobile)
Each row has a severity tag, status box, and a slot for the fix-commit hash.
Subsequent commits will reference items by ID (e.g. fix(A1): ...).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
