Sydnee WEEKLY (cross-cutting) audit — 2026-05-31 P0 findings: 0 P1 findings: 0 Risks: 0 - **Commits since last weekly (2026-05-24):** 39 code/feature commits + 7 daily-audit docs (excluding 115 peak-monitor hourly logs) - **Files changed:** `bot.py`, `pages.py`, `core/database.py` - **Major new work:** TV-BXt v2 (spread gate, WS-touch pricing, order-flow confirmation, IP allowlist, disable-algo-stops flag), reconcile avgCost sanity-check + quarantine 25%→55%, Phase-0 tape-scanner + scalp edge logger, OBV-trail dashboard history | Category | Count | |---|---| | P1 (carried) | 3 | | P1 (new) | 1 | | P2 (new) | 2 | | Doc drift (carried) | 2 | | Doc drift (new) | 1 | | **Fixed this week** | 0 (no carried items resolved) | --- Full report (dev branch): https://github.com/kanex1/sydnee.signals/blob/dev/docs/audit_2026-05-31_weekly.md Reply FROM [email protected] to [email protected] to request fixes, e.g.: "code_task on sydnee-signals-dev: apply fix for the P0 about RVOL threshold in bot.py" Sydnee Agent will propose + you APPROVE (or plain 'approve') + auto-push to dev. --- Full audit below (first 12 KB) --- # Weekly Code Audit 2026-05-31 ## Summary - **Commits since last weekly (2026-05-24):** 39 code/feature commits + 7 daily-audit docs (excluding 115 peak-monitor hourly logs) - **Files changed:** `bot.py`, `pages.py`, `core/database.py` - **Major new work:** TV-BXt v2 (spread gate, WS-touch pricing, order-flow confirmation, IP allowlist, disable-algo-stops flag), reconcile avgCost sanity-check + quarantine 25%→55%, Phase-0 tape-scanner + scalp edge logger, OBV-trail dashboard history | Category | Count | |---|---| | P1 (carried) | 3 | | P1 (new) | 1 | | P2 (new) | 2 | | Doc drift (carried) | 2 | | Doc drift (new) | 1 | | **Fixed this week** | 0 (no carried items resolved) | --- ## Fixed Since Last Weekly (2026-05-24) None of the P1s from the 2026-05-24 weekly were addressed this week. All three carry forward (see Findings below). --- ## Findings --- ### [CONFIG] P1 (new): `TV_BXT_TRAIL_AGAINST` has two different defaults in the same file **Files:** `bot.py:3750`, `bot.py:14062` **Evidence:** ```python # bot.py:3750 — _obv_trail_stop_hit (LIVE TRADING path): agnst = float(os.environ.get("TV_BXT_TRAIL_AGAINST", "1.0")) # bot.py:14062 — api_trade_obv_trail (history REPLAY endpoint): agnst = float(os.environ.get("TV_BXT_TRAIL_AGAINST", "1.5")) ``` When `TV_BXT_TRAIL_AGAINST` is not set in the environment, the live engine uses a `1.0×ATR` against-trend trail, but the OBV-trail history endpoint reconstructs the stop history using `1.5×ATR`. Every closed-trade timeline shown on the dashboard shows a tighter stop than what actually ran — the replay cannot accurately reproduce the stop sequence that was live. The discrepancy was almost certainly introduced when the history endpoint was added as a copy of the live path with different defaults. The live default (`1.0`) matches `strategy_decisions.md` ("tight 1×ATR when OBV turns"). **Impact:** Historical stop-analysis data on the trade card is wrong whenever the env var is unset (the default path). Could cause incorrect post-trade analysis conclusions ("the stop was too tight/wide" when it wasn't). **Recommendation:** Change `bot.py:14062` to `"1.0"` to match the live default. One-line fix. --- ### [SECURITY] P1 (carried 5 weeks — 2026-05-03 → 2026-05-31): Hardcoded `"8881"` API key in client-side JavaScript **Files:** `pages.py:6865`, `pages.py:7109`, `pages.py:7673`, `pages.py:7960`, `pages.py:7965`, `pages.py:7968` **Evidence:** ```js // pages.py:6865 — stock add fetch('/api/stocks/add', {headers: {'X-API-Key': '8881'}, ...}) // pages.py:7109 — screener scan apiPost("/api/screener/run", {password: "8881", ...}) // pages.py:7673 — cancel order fetch("/api/positions/cancel", {headers: {"X-API-Key": "8881"}, ...}) // pages.py:7960, 7965, 7968 — QA approve/reject/defer apiPost('/api/qa/suggestion/'+id, {action:'approved', password:'8881'}) ``` Server: `API_KEY = os.environ.get("API_KEY", "8881")` (bot.py:11140). If `API_KEY` is rotated, all six JS actions break silently with 401. The literal `"8881"` is visible in every page source load. **Impact:** Credential in plain-text page source; rotation breaks six write features; weak 4-digit default. **Recommendation:** Pass key via Jinja2 template variable: `render_template_string(PAGE_HTML, api_key=API_KEY)` and replace the six literals with `{{ api_key }}`. ~15 min fix. --- ### [SCHEMA] P1 (carried 5 weeks — 2026-05-03 → 2026-05-31): 5 tables + 2 columns missing from `core/schema.sql` **Files:** `core/database.py:1852`, `1891`, `1903`, `2003`, `2024`; `core/database.py:230-231`; `core/schema.sql` **Evidence (tables):** ```python # core/database.py — INSERT INTO tables with no CREATE TABLE in schema.sql: # :1852 change_requests # :1891 qa_reports # :1903 qa_suggestions # :2003 screener_results # :2024 screener_runs ``` **Evidence (columns added via ALTER TABLE, not in schema.sql):** ```python # core/database.py:230-231 "ALTER TABLE trades ADD COLUMN IF NOT EXISTS tick_peak_signed_vol BIGINT DEFAULT 0" "ALTER TABLE trades ADD COLUMN IF NOT EXISTS fri_ah_close_queued BOOLEAN DEFAULT FALSE" ``` `grep "change_requests\|qa_report\|qa_suggest\|screener_result\|screener_run\|tick_peak_signed_vol\|fri_ah_close_queued" core/schema.sql` → zero results. **Impact:** Fresh DB provision (staging reprovision, new dev environment) silently produces a different schema than what the code expects. The `IF NOT EXISTS` guard on ALTER TABLEs means the running instance is fine, but any new deploy starts broken without visible errors (`_safe()` wrappers swallow them). **Recommendation:** Add the 5 missing `CREATE TABLE IF NOT EXISTS` blocks (copy column lists from the INSERT statements) and add the 2 missing columns to the `trades` block in schema.sql. Convention to establish: any `ALTER TABLE ADD COLUMN IF NOT EXISTS` in database.py also gets reflected in schema.sql in the same commit. --- ### [SCHEMA] P2 (new): `scalp_signal_log` table absent from `core/schema.sql` **Files:** `core/database.py:300-331`; `core/schema.sql` **Evidence:** ```python # core/database.py:300-331 — ensure_scalp_signal_log_table(): CREATE TABLE IF NOT EXISTS scalp_signal_log ( id BIGSERIAL PRIMARY KEY, ts TIMESTAMPTZ NOT NULL, symbol VARCHAR(12) NOT NULL, ... ) ``` `grep "scalp_signal_log" core/schema.sql` → zero results. The table is created dynamically when `SCALP_SIGNAL_LOG=true` via `ensure_scalp_signal_log_table()` (called at loop startup, bot.py:16107). That's robust at runtime. But schema.sql does not document the table, continuing the pattern of schema drift that the 5-table P1 above represents. **Impact:** Schema documentation drift. Any engineer reading schema.sql to understand the DB structure will miss this table. Fresh provision without ever enabling `SCALP_SIGNAL_LOG` won't have the table, so the `/api/scalp-signal-log/summary` endpoint will 500 on a fresh instance if called before the flag is set. **Recommendation:** Add the `scalp_signal_log` CREATE TABLE to schema.sql (copy from database.py:310-330). Makes schema.sql the single source of DB truth again. --- ### [SECURITY] P2 (new): TV webhook IP allowlist is bypassable via `X-Forwarded-For` header spoofing **Files:** `bot.py:3592-3598`, `bot.py:12222-12227` **Evidence:** ```python # bot.py:3596-3598 — takes the FIRST XFF entry: xff = req.headers.get("X-Forwarded-For", "") if xff: return xff.split(",")[0].strip() # bot.py:11107 — ProxyFix already set: app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1) ``` `ProxyFix(x_for=1)` tells Werkzeug to trust ONE proxy hop — it correctly sets `request.remote_addr` to the actual client IP by consuming the rightmost XFF entry added by Traefik. However, `_tv_webhook_client_ip` bypasses ProxyFix and re-parses XFF manually, taking the FIRST (leftmost) entry. An attacker can prepend a TV relay IP to their request's `X-Forwarded-For` header (e.g. `X-Forwarded-For: 52.89.214.238`); Traefik appends the real IP to the right, making it `52.89.214.238, real.attacker.ip`. The function returns `52.89.214.238` → allowlist check passes. The secret check (`_secrets.compare_digest`, bot.py:12219) runs BEFORE the IP check and is not bypassed — this only matters if the secret is also compromised. **Impact:** Defense-in-depth bypass only. If the secret is rotated correctly the IP spoofing provides no additional leverage. If the secret leaks, an attacker from any IP can spoof the TV relay IPs to avoid the allowlist log noise. **Recommendation:** Replace the manual XFF parse in `_tv_webhook_client_ip` with `return req.remote_addr or ""` — ProxyFix has already done the right thing. One-line fix, no behavior change in the normal path. --- ### [DOC] P2 (new): 9 env vars added this week have no entry in CLAUDE.md **Files:** `bot.py:3967`, `bot.py:3589`, `bot.py:4000`, `bot.py:4016-4018`, `bot.py:14162`, `bot.py:16100`, `bot.py:16110-16112` **Evidence:** `grep -n "TV_BXT_DISABLE_ALGO_STOPS\|TV_BXT_FLOW_CONFIRM\|TV_BXT_FLOW_RATIO_MIN\|TV_BXT_FLOW_MIN\|TV_BXT_VOL_MIN\|TV_WEBHOOK_ALLOWED_IPS\|SCALP_SIGNAL_LOG\|TAPE_SCANNER_SYMBOLS" CLAUDE.md` → zero results. | Env var | Default | Effect | |---|---|---| | `TV_BXT_DISABLE_ALGO_STOPS` | `""` (stops ON) | Disables catastrophic + OBV-trail stops for TV model entirely | | `TV_BXT_FLOW_CONFIRM` | `""` (off) | Enables 1-min order-flow confirmation gate before entry | | `TV_BXT_FLOW_RATIO_MIN` | `0` (off) | Min imbalance ratio \|net_flow\|/vol to confirm entry (~0.15 = mild) | | `TV_BXT_FLOW_MIN` | `0` (off) | Absolute min signed volume floor for flow gate | | `TV_BXT_VOL_MIN` | `0` (off) | Absolute min total volume floor for flow gate | | `TV_WEBHOOK_ALLOWED_IPS` | TV's 4 relay IPs | Override TradingView IP allowlist; empty = secret-only auth | | `SCALP_SIGNAL_LOG` | `""` (off) | Enable Phase-0 tape-checklist edge logger (no trading) | | `TAPE_SCANNER_SYMBOLS` | `""` (full watchlist) | Pin tape-scanner to specific symbols instead of full watchlist | | `SCALP_SIGNAL_LOG_SEC` | `2.0` | Scan cadence in seconds for the scalp logger | | `SCALP_SIGNAL_LOG_MIN_SCORE` | `3` | Minimum 4-signal checklist score to log (3 or 4) | | `SCALP_SIGNAL_LOG_COOLDOWN_SEC` | `60` | Per-symbol cooldown between logged events | **Impact:** An operator debugging a production issue (or an AI session) won't know `TV_BXT_DISABLE_ALGO_STOPS` exists — this is a stop-loss kill switch that could be accidentally left set without anyone noticing. The CLAUDE.md BXt env-var table (already flagged in the 2026-05-24 weekly as incomplete) has grown 9 more gaps this week. **Recommendation:** Add these 9 vars to the BXt env-var reference table in CLAUDE.md. `TV_BXT_DISABLE_ALGO_STOPS` in particular should be highlighted as a kill switch (not a tuning param). --- ### [DOC] P2 (carried 2 weeks): CLAUDE.md Architecture section stale **Files:** `CLAUDE.md:6-11`, `CLAUDE.md:75-80` **Evidence (3 sub-issues, same as 2026-05-24 weekly):** - `CLAUDE.md:6`: "bot.py ~10K lines" → actual 18,140 lines (80% wrong); `pages.py` = 10,762 lines, not mentioned in Architecture at all. - `CLAUDE.md:75-80` Dev-Only section: "Production: IBKR for everything (no env var set)" directly contradicts Architecture-section note `USE_POLYGON_DATA=true on both dev and prod`. Both sections are in the same file. - Oracle sidecar (`oracle/service.py`, `Dockerfile.oracle`), the 4-way BXt model selector, the scanner page, and Phase-0 scalp logger remain absent from the Architecture section. **Impact:** Two-sentence contradiction in the same file about whether prod uses Polygon. Any session following the dev-only blurb will assume prod has no Polygon and waste time debugging. **Recommendation (10-min fix):** 1. `CLAUDE.md:6`: update line count to "bot.py ~18K lines"; add `pages.py` (~11K lines). 2. `CLAUDE.md:75-80`: delete the Polygon bullet from Dev-Only Features (correct description already in Architecture section above it). 3. Add one sentence under Architecture: "Phase-0 tape-checklist scanner page (`/scanner`) + scalp edge logger (`SCALP_SIGNAL_LOG`) — research-only, no auto-trading." --- ### [DOC] P2 (carried 3 weeks): Friday EOD cutoff absent from CLAUDE.md Entry Time Blockers table **Files:** `CLAUDE.md:40-45`, `bot.py:4552-4558` **Evidence:** ```python # bot.py:4552-4558 — fires for ALL trigger types including rsi_extreme: if now_et.weekday() == 4 and t_min >= 15 * 60: self._log_activity(sym, "FRI CUTOFF: no new entries Friday after 12:00 PM PT", "block") return ``` The Entry Time Blockers table in CLAUDE.md has no Friday row. The "Net effect" summary says RSI extreme runs nearly 24×5 (with only the overnight and RTH-open gaps), implying it runs Friday PM — it doesn't. **Recommendation:** Add one row to the Entry Time Blockers table: ``` | Fri 12:00 PT (15:00 ET) onward | **all entries blocked** (weekend gap risk) | ALL triggers | ``` And update the Net effect line to note the Friday cutoff. --- ## OK (spot-checked, clean) - **New endpoint auth coverage**: `/api/tape-scanner`