bytelyst/learning_ai_invt_trdg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
learning_ai_invt_trdg/web/workspace-system-scan-2026-02-21.md

243 lines
14 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Workspace System Scan Report
Date: 2026-02-21
Scope:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web`
## Method
- Static review of source, config, workflows, docs, and tests.
- Runtime checks executed:
- Bot: `npm run build`, `npm run test`
- Web: `npm install`, `npm run build`, `npm run lint`, `npm run test`
## Executive Summary
- The platform has strong functional coverage and many tests on the web repo, but there are several critical security and contract-integration issues that can cause unsafe trading behavior or admin controls to fail silently.
- Most urgent issues:
1. Secrets committed to git in tracked `.env` files.
2. Bot API/socket layer has no auth enforcement.
3. Frontend-backend API/event contract drift (frontend calls endpoints/events not implemented by backend).
4. Manual trade endpoint can route to the wrong account when `user_id` is omitted.
## Confirmed Runtime Results
- Bot build: pass (`tsc`).
- Bot test: fail by design (no tests configured): `package.json:8`.
- Web build: pass, but Node runtime warning (`Node.js 19.7.0`; Vite expects 20.19+).
- Web lint: pass.
- Web tests: fail with 33 worker errors (`ERR_REQUIRE_ESM` chain via jsdom/html-encoding-sniffer under current Node runtime).
- `npm install` in web reported `11 vulnerabilities (1 moderate, 10 high)`.
## Findings (By Severity)
### Critical
1) Secret exposure in tracked env files
- Evidence:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/.env:4`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/.env:5`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/.env.production:2`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/.env.production:3`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/.env:12`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/.env:13`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/.env:35`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/.env:53`
- Tracked in git:
- web: `git ls-files .env .env.production` returns both
- bot: `git ls-files .env .env.example` returns `.env`
- Risk:
- Credential leakage and unauthorized access.
- Recommendation:
- Rotate all exposed keys immediately.
- Remove tracked env files from git history and keep only sanitized examples.
- Enforce pre-commit + CI secret scanning on both repos.
2) Bot API and socket server expose privileged actions without auth checks
- Evidence:
- Wildcard CORS: `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:109`, `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:187`
- No auth middleware before routes: `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:191`
- Trade endpoint lacks token verification: `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:255`
- Chat endpoint lacks token verification: `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:285`
- Socket connection accepts all clients, no token verification: `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:365`
- Risk:
- Any reachable client can call trading/chat APIs and subscribe to live state.
- Recommendation:
- Add JWT verification middleware for HTTP and `io.use()` auth guard for socket.
- Restrict CORS origins and disable wildcard in production.
3) Cross-account/manual routing risk in `/api/trade`
- Evidence:
- Endpoint fallback to first available manager when `user_id` is missing:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:263`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:265`
- Frontend call omits `user_id` in payload:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/components/EntryForm.tsx:112`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/components/EntryForm.tsx:137`
- Risk:
- A user can accidentally execute against another users manager/account.
- Recommendation:
- Require authenticated user identity on backend; derive `user_id` from verified token claims, not request body.
- Reject requests without resolvable account context.
4) Frontend-backend contract drift breaks admin and position operations
- Evidence (frontend expects endpoints/events):
- Pause/Resume: `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/tabs/AdminTab.tsx:120`, `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/tabs/AdminTab.tsx:149`
- Clear events: `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/tabs/AdminTab.tsx:178`
- Close position: `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/tabs/PositionsTab.tsx:1093`
- WebSocket events expected: `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/hooks/useWebSocket.ts:298`, `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/hooks/useWebSocket.ts:329`, `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/hooks/useWebSocket.ts:336`, `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/hooks/useWebSocket.ts:347`
- Evidence (backend implemented routes/events are different/limited):
- Routes only in current server include `/health`, `/api/status`, `/api/alerts`, `/api/symbol/:symbol`, `/api/config`, `/api/trade`, `/api/chat`:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:192`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:255`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:285`
- Socket emits only `state` on connect plus symbol/order/history/settings updates:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:367`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:413`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:439`
- Risk:
- UI controls appear present but fail at runtime (admin toggles, square-off, health panes).
- Recommendation:
- Create and enforce a shared API/event contract (OpenAPI + typed socket event map) consumed by both repos.
### High
5) Per-profile rule parameters are not applied during execution
- Evidence:
- Profile rules include params in input type:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/strategies/ProStrategyEngine.ts:46`
- Engine only uses `enabled` and rule order; each rule is called as `rule.check(context)` with no profile params:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/strategies/ProStrategyEngine.ts:73`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/strategies/ProStrategyEngine.ts:105`
- Rules pull thresholds from global config:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/strategies/rules/MomentumRule.ts:20`
- Risk:
- UI-configured per-profile tuning appears saved but has little/no effect except rule enablement.
- Recommendation:
- Pass effective per-profile params into each rule evaluation and validate fallback behavior.
6) Dashboard signal can be nondeterministic across profiles
- Evidence:
- Parallel profile evaluation and first-completing result chosen for global display:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/index.ts:266`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/index.ts:276`
- Risk:
- Dashboard signal may flip depending on async completion order, not deterministic policy.
- Recommendation:
- Replace “first result wins” with deterministic aggregation (e.g., profile priority, quorum, or dedicated display profile).
7) Order feed/state is overwritten with single-order arrays
- Evidence:
- TradeExecutor sends one-element order array each update:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/TradeExecutor.ts:257`
- API server replaces full order state:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/apiServer.ts:437`
- Risk:
- Dashboard order history loses prior orders unless DB backfill covers it.
- Recommendation:
- Append/update by order ID server-side rather than full replacement.
### Medium
8) Dynamic config assignment has no type coercion or validation
- Evidence:
- Raw values copied directly into typed config:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/config/index.ts:132`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/config/index.ts:135`
- Risk:
- Numeric/boolean configs become strings and alter runtime behavior.
- Recommendation:
- Use a schema (zod/io-ts) with explicit per-key parsing and validation.
9) Admin tab opens a second socket connection
- Evidence:
- Root app already opens socket:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/App.tsx:58`
- Admin tab opens another:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/tabs/AdminTab.tsx:42`
- Risk:
- Extra connection load, duplicate subscriptions, racey debug log behavior.
- Recommendation:
- Lift socket instance into context and reuse one connection app-wide.
10) Potential divide-by-zero/NaN edge cases in signal and PnL logic
- Evidence:
- Wick calculation divides by candle size without zero guard:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/strategies/rules/EntryTriggerRule.ts:35`
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/strategies/rules/EntryTriggerRule.ts:37`
- `entryPrice` can be `0` on open:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/TradeExecutor.ts:94`
- PnL% divides by entryPrice:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/services/TradeExecutor.ts:190`
- Risk:
- Bad metrics, noisy alerts, invalid DB rows.
- Recommendation:
- Add guards for zero/NaN price paths and reject invalid candles/prices.
11) AI prompt is symbol-hardcoded
- Evidence:
- Prompt always references `BTC/USD`:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/src/strategies/rules/AIAnalysisRule.ts:77`
- Risk:
- AI output quality degrades for non-BTC symbols.
- Recommendation:
- Inject `ctx.symbol` in prompt and include timeframe/source metadata.
12) Frontend currently fetches and stores broker secrets in client profile
- Evidence:
- Profile query requests broker key/secret fields:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/components/AuthContext.tsx:100`
- Settings tab edits and writes key/secret fields from browser:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/src/tabs/SettingsTab.tsx:91`
- Risk:
- Higher blast radius if browser/session compromised.
- Recommendation:
- Move credential write/read to server-side proxy functions with strict role checks.
### Low / Maintainability
13) Toolchain/version alignment gap
- Evidence:
- No explicit Node version pin file (`.nvmrc`/`.node-version`) in either repo.
- CI uses Node 20 for web: `/Users/saravana/BytelystAI/trading/bytelyst-trading-dashboard-web/.github/workflows/ci.yml:23`
- Local run on Node 19 caused warnings and test worker failures.
- Recommendation:
- Add `engines` + `.nvmrc` in both repos; enforce in CI and local docs.
14) Bot repo lacks meaningful automated test script
- Evidence:
- `npm test` is placeholder:
- `/Users/saravana/BytelystAI/trading/bytelyst-trading-bot-service/package.json:8`
- Recommendation:
- Introduce unit tests for strategy/risk/execution and a mocked integration test for route auth and trade routing.
## Gaps / Capability Caps
- Missing shared contract package causes drift between UI expectations and bot implementation.
- Per-profile strategy customization currently behaves as partial customization (enable/order only, not full parameterization).
- Operational controls (pause/resume/events clear/square-off) are present in UI but not guaranteed by backend.
- Security model is inconsistent: frontend sends bearer tokens, backend largely ignores them.
## Priority Plan (Pragmatic)
### Phase 0 (Immediate: same day)
1. Rotate all exposed secrets and remove them from tracked files/history.
2. Disable unsecured production endpoints until auth middleware is in place.
3. Block `/api/trade` if backend cannot map verified user to a single manager.
### Phase 1 (1-2 days)
1. Implement HTTP + socket auth middleware with role checks for admin routes.
2. Add missing backend endpoints/events or remove dead UI controls behind feature flags.
3. Fix order-state replacement semantics and preserve rolling order history.
### Phase 2 (2-4 days)
1. Introduce typed shared contract for REST + socket events.
2. Apply per-profile rule params in strategy engine/rules.
3. Add config schema validation/coercion for dynamic config.
### Phase 3 (Hardening)
1. Pin Node runtime (`engines`, `.nvmrc`) and stabilize Vitest across environments.
2. Expand bot automated tests beyond scripts and external/live checks.
3. Add security gates in bot repo (gitleaks + dependency audit + auth tests).
## Final Assessment
- The foundation is workable, but production safety depends on resolving auth, secrets, and contract drift first.
- After those are fixed, the main performance/quality gains come from deterministic aggregation, full profile-parameter support, and better test reliability.
Reference in New Issue View Git Blame Copy Permalink