Self-contained brief that any coding agent (Codex, Claude, Gemini, etc.)
running on this machine can paste in to resume the redesign+audit work.
Covers, in order:
- Required reads (the 4 source-of-truth docs in both repos)
- Environment setup (source ~/.zshrc for GITEA_NPM_TOKEN)
- Verification gates per repo (must run before AND after every change)
- 12-item priority queue with effort estimates, top to bottom
- Commit conventions (subject `<type>(<id>):`, audit-doc tick, model
Co-Authored-By line)
- Six explicit "do not" rules (don't commit incidental lockfile
regens, don't touch nomgap WIP, don't skip gates, don't bulk-fix
platform lint, don't push --force, etc.)
- When-to-stop-and-ask criteria so the agent doesn't guess on
ambiguous specs or break public API surfaces
Bottom of the file has a short copy-paste prompt that points back at
this doc, so the human just pastes 7 lines into Codex and the agent
self-bootstraps from the full brief.
Refs: docs/HANDOVER.md, docs/AUDIT_REDESIGN.md.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Self-contained hand-off note covering:
- Current health snapshot (build/typecheck/test status, with the
4 known pre-existing test failures called out so they aren't
misread as regressions)
- Critical lockfile situation (web deps in package.json but not
in root pnpm-lock.yaml — needs `pnpm install -r` from a machine
with GITEA_NPM_TOKEN; tracked as audit item E2)
- Audit doc reference (docs/AUDIT_REDESIGN.md, 52 items, the 5
cleared so far + 47 still open)
- Suggested priority order: E2 lockfile → B1 chart indicators →
B2/B3 ticker header → C1 strategy code sandboxing → C2 FMP cache
→ F6 backend tests → G mobile parity
- Backup-branch reference for emergency rollback
- Note on vendored @bytelyst/* packages and the Vite alias resolver
Companion HANDOVER.md exists in the sibling learning_ai_common_plat
repo for the platform-side audit pushed in that repo's commit 8f541c9.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Partial fix for the lockfile drift caught in the audit. The previous
session ran `npm install` inside web/ as a workaround for a Vite vendor-
resolution issue, which left three lockfiles in the wrong places:
- web/package-lock.json (npm artifact in a pnpm monorepo)
- web/pnpm-lock.yaml (per-package pnpm lockfile, also wrong)
- backend/pnpm-lock.yaml (same issue)
This commit:
- Deletes those three files from the working tree.
- Adds .gitignore entries so they can't be re-committed by accident.
- Also gitignores .claude/ (Claude Code session metadata).
What's still missing: the root pnpm-lock.yaml needs `react-router-dom`,
`@monaco-editor/react`, `@dnd-kit/{core,sortable,utilities}` added to
its resolution graph. That requires `pnpm install -r --no-frozen-lockfile`
from the repo root on a workstation with GITEA_NPM_TOKEN exported (the
mobile workspace pulls @bytelyst/* private packages from the org's
private registry; this session has no token so the install errors out
on the mobile resolve). It's a one-line follow-up — tracked in
AUDIT_REDESIGN.md item E2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
A1+A2 — CodeStrategyEditor backtest call
Was: POST /api/backtest with { symbol, strategyCode, mode: 'code' }
Now: POST /api/backtest/run with { symbols: [s], strategyConfig: {
type: 'code', language: 'javascript', code } }
The backend route is /api/backtest/run (not /api/backtest), and
/api/backtest/run validates `symbols[]` and `strategyConfig`, not the
ad-hoc fields we were sending. Also unwraps the { success, results }
envelope the engine returns and surfaces success:false errors.
A3 — VisualRuleBuilder save shape
Was: hand-rolled fetch to /api/profiles with { name, symbol, strategyType,
visualRules, description } — backend's saveTradeProfileForUser ignored
all of that and either 400'd or persisted a half-empty row.
Now: uses the canonical createTradeProfile() helper from lib/profileApi
with the documented TradeProfilePayload shape. Visual rules go inside
strategy_config.{type:'visual', version:1, rules:[...]} so the engine
can fan out to a visual interpreter without conflicting with the
existing rule-based engine. Allocated capital + risk pct pulled from
botState.settings so the profile inherits the user's current sizing.
is_active defaults false so the user activates explicitly.
A4+A5 — RightPanel.NewsFeed auth + runtime
Was: raw fetch() to import.meta.env.VITE_TRADING_API_URL with no
Authorization header → 401 on every render in any environment that
requires auth, and prod-broken where the runtime resolver is the
only source of truth for the API base URL.
Now: uses fetchNews() from lib/marketApi which already carries the
platform Bearer token and routes through tradingRuntime.tradingApiUrl.
Adds an error state in the UI for visibility instead of silently
leaving the panel blank.
Verified: web/ tsc --noEmit passes. No behavioural change to non-affected
code paths (RightPanel portfolio summary, ResearchView other tabs, etc.).
Refs: docs/AUDIT_REDESIGN.md items A1–A5.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Catalogues every gap, bug, and miss found in the web redesign work:
- A: critical broken integrations (wrong endpoint, wrong payload, missing auth)
- B: functional gaps from the original plan (chart indicators, watchlist
buttons, company name placeholder, etc.)
- C: security & correctness (sandboxing, FMP cache, query-param leakage)
- D: UX/UI polish (skeletons, dark-tab contrast, responsive breakpoints)
- E: build/infra (1 MB bundle, lockfile drift, Monaco workers, README)
- F: test coverage (zero tests for marketApi, builders, screener, endpoints)
- G: mobile parity (none of the new features exist on mobile)
Each row has a severity tag, status box, and a slot for the fix-commit hash.
Subsequent commits will reference items by ID (e.g. fix(A1): ...).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Records Cosmos DB setup (12 containers), Azure OpenAI deployments (gpt-4o,
gpt-4o-mini), Key Vault secrets, and pending work items.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
