Sydnee WEEKLY (cross-cutting) audit — 2026-06-14 P0 findings: 0 P1 findings: 0 Risks: 0 - **Commits since last weekly (2026-06-07):** ~43 feature/fix commits (excl. peak-monitor hourly logs and daily-audit docs; 90 total) - **Files changed:** `bot.py`, `pages.py`, `vianexus_client.py`, `futures_client.py`, `polygon_client.py`, `Dockerfile.oracle`, `Dockerfile.ibkr_ws`, `Dockerfile.poly_ws` - **Major new work this week:** Day/Tone page (SMB three-pillar, NDJSON streaming, Sonnet direct SDK), ENGINE selector flattening (MODEL→ENGINE, 6-option mutex), Tape phase 2 completion (A4 sector gate, in-play A1/A3 gates, discovery scanner, TAPE_STRICT_SIG2, TAPE_TICK_EXIT), viaNexus integration + earnings guard, nav Day→Tone pill with live RISK-ON/OFF score | Category | Count | |---|---| | P1 carried | 5 | | P1 new | 1 | | P2 carried | 5 | | P2 new | 2 | | Dead code | 1 | | Perf | 1 | | **Fixed since last weekly** | 0 (none of the 10 prior findings addressed) | --- Full report (dev branch): https://github.com/kanex1/sydnee.signals/blob/dev/docs/audit_2026-06-14_weekly.md Reply FROM [email protected] to [email protected] to request fixes, e.g.: "code_task on sydnee-signals-dev: apply fix for the P0 about RVOL threshold in bot.py" Sydnee Agent will propose + you APPROVE (or plain 'approve') + auto-push to dev. --- Full audit below (first 12 KB) --- # Weekly Code Audit 2026-06-14 ## Summary - **Commits since last weekly (2026-06-07):** ~43 feature/fix commits (excl. peak-monitor hourly logs and daily-audit docs; 90 total) - **Files changed:** `bot.py`, `pages.py`, `vianexus_client.py`, `futures_client.py`, `polygon_client.py`, `Dockerfile.oracle`, `Dockerfile.ibkr_ws`, `Dockerfile.poly_ws` - **Major new work this week:** Day/Tone page (SMB three-pillar, NDJSON streaming, Sonnet direct SDK), ENGINE selector flattening (MODEL→ENGINE, 6-option mutex), Tape phase 2 completion (A4 sector gate, in-play A1/A3 gates, discovery scanner, TAPE_STRICT_SIG2, TAPE_TICK_EXIT), viaNexus integration + earnings guard, nav Day→Tone pill with live RISK-ON/OFF score | Category | Count | |---|---| | P1 carried | 5 | | P1 new | 1 | | P2 carried | 5 | | P2 new | 2 | | Dead code | 1 | | Perf | 1 | | **Fixed since last weekly** | 0 (none of the 10 prior findings addressed) | --- ## Fixed Since Last Weekly (2026-06-07) None. All 10 findings from the 2026-06-07 weekly carry forward unchanged. --- ## Findings --- ### [SECURITY] P1 (carried 7 weeks — 2026-05-03 → 2026-06-14): Hardcoded `"8881"` API key — 5 sites remain **Files:** `pages.py:7222`, `pages.py:7466`, `pages.py:8030`, `pages.py:8317`, `pages.py:8322`, `pages.py:8325` **Evidence:** ```js // pages.py:7222 — stock add fetch('/api/stocks/add',{...,'X-API-Key':'8881'}...) // pages.py:7466 — screener scan apiPost("/api/screener/run",{...,"password":"8881"}) // pages.py:8030 — cancel order fetch("/api/positions/cancel",{...,"X-API-Key":"8881"}...) // pages.py:8317, 8322, 8325 — QA approve/reject/defer apiPost('/api/qa/suggestion/'+id,{action:'approved',...,password:'8881'}) ``` Working pattern already in use at lines 1812, 5987, 9087, 9176 etc.: `(window.API_KEY||"8881")`. The 5 remaining sites are untouched. **Impact:** Key visible in page source; rotation silently breaks these 5 write paths with 401. Seven weeks unfixed. **Recommendation:** Apply `(window.API_KEY||"8881")` to all 5 sites. ~10 min. --- ### [SCHEMA] P1 (carried 7 weeks — 2026-05-03 → 2026-06-14): 6 tables + 18 columns missing from `core/schema.sql` **Files:** `core/database.py:1869`, `2062`, `2074`, `2174`, `2195`, `310`; `core/schema.sql` **Evidence:** ```bash grep -n "scalp_signal_log\|change_requests\|qa_report\|screener_result\|screener_run" core/schema.sql # → zero results ``` Missing tables: `scalp_signal_log`, `change_requests`, `qa_reports`, `qa_suggestions`, `screener_results`, `screener_runs`. Missing ALTER TABLE columns on `trades` (`tick_peak_signed_vol`, `fri_ah_close_queued`) and 16 exit-research columns on `scalp_signal_log` (`price_300s`, `ret_300s`, `flow_30s/60s/120s/300s`, `score_30s/60s/120s/300s`, `mfe_30s/60s/120s/300s`, `mae_30s/60s/120s/300s`). **Impact:** Fresh DB provision is silently broken. Disaster-recovery or new staging stand-up starts missing 6 tables; `_safe()` wrappers swallow subsequent errors. Seven weeks unfixed. **Recommendation:** Add `CREATE TABLE IF NOT EXISTS` blocks for all 6 tables and the 18 missing ALTER TABLE columns to `schema.sql`. Establish convention: ALTER TABLE in `database.py` must land in `schema.sql` in the same commit. --- ### [CONFIG] P1 (carried 4 weeks — 2026-05-17 → 2026-06-14): `TV_BXT_TRAIL_AGAINST` default drift between live path and replay endpoint **Files:** `bot.py:3775`, `bot.py:14802` **Evidence:** ```python # bot.py:3775 — _obv_trail_stop_hit (LIVE TRADING): agnst = float(os.environ.get("TV_BXT_TRAIL_AGAINST", "1.0")) # bot.py:14802 — api_trade_obv_trail (HISTORY REPLAY endpoint): agnst = float(os.environ.get("TV_BXT_TRAIL_AGAINST", "1.5")) ``` **Impact:** When `TV_BXT_TRAIL_AGAINST` is unset (the default), the trade card's OBV-trail history panel reconstructs stops with a 1.5× ATR against-stop while the live engine ran 1.0×. Every closed-trade stop timeline in the UI is wrong by 50% of the against-trail width on the default path. **Recommendation:** Change `bot.py:14802` default from `"1.5"` → `"1.0"`. One line, 30 seconds. --- ### [SECURITY] P1 (carried 4 weeks — 2026-05-17 → 2026-06-14): XFF first-hop bypass in `_tv_webhook_client_ip` **Files:** `bot.py:3617-3626` **Evidence:** ```python def _tv_webhook_client_ip(self, req) -> str: """... X-Forwarded-For contains the original client IP (first entry).""" xff = req.headers.get("X-Forwarded-For", "") if xff: return xff.split(",")[0].strip() # ← attacker-controlled first entry return req.remote_addr or "" ``` `ProxyFix(x_for=1)` (bot.py:11389) already sets `request.remote_addr` to the verified client IP by consuming the rightmost Traefik-appended entry. The manual `.split(",")[0]` takes the leftmost entry — an attacker can prepend any TV relay IP to spoof `X-Forwarded-For: 52.89.214.238, <attacker_real_ip>` and bypass the allowlist check. **Impact:** Defense-in-depth bypass. Shared-secret check (`_secrets.compare_digest`) still runs first; exploiting this also requires knowing the secret. **Recommendation:** Replace `bot.py:3621-3623` with `return req.remote_addr or ""`. ProxyFix has already done the right thing. Update docstring. One line. --- ### [DOC] P1 (carried 1 week — 2026-06-07 → 2026-06-14): `DISABLE_DAILY_LOSS_LIMIT` absent from CLAUDE.md **Files:** `core/risk.py:112`; `CLAUDE.md` **Evidence:** ```bash grep "DISABLE_DAILY_LOSS_LIMIT" CLAUDE.md # → zero results ``` `strategy_decisions.md` explicitly states: *"Hard re-enable the gate before any real-money promotion — this flag is NOT for prod."* That critical safety note exists nowhere in CLAUDE.md. **Impact:** Any operator or AI session reading CLAUDE.md and deploying the dev docker-compose env block to prod will run with no daily drawdown limit on real money. CLAUDE.md is the first reference an operator reads. **Recommendation:** Add to CLAUDE.md env-var table: ``` | DISABLE_DAILY_LOSS_LIMIT | "" (gate ON) | ⚠️ DEV ONLY — disables 5% NLV daily-loss circuit breaker. MUST be unset before real-money promotion. | ``` --- ### [INFRA] P1 (new — 2026-06-14): `Dockerfile.oracle` exposes port 8083 — collides with main bot Flask server **Files:** `Dockerfile:20`, `Dockerfile.oracle:12`; `oracle/config.py:56` **Evidence:** ```dockerfile # Dockerfile (main bot): EXPOSE 8083 # Dockerfile.oracle (oracle sidecar): EXPOSE 8083 ``` ```python # oracle/config.py:56 HEALTH_PORT = int(os.environ.get("ORACLE_HEALTH_PORT", "8083")) ``` `Dockerfile.poly_ws` correctly uses 8084; `Dockerfile.ibkr_ws` correctly uses 8085. The oracle is the only sidecar that defaults to the same port as the main bot's Flask server. If docker-compose maps both services on port 8083 of the host, one will fail to bind. **Impact:** Oracle health endpoint (`/health` on 8083) will collide with the main bot's Flask server if both are started on the same host without an explicit port override via `ORACLE_HEALTH_PORT`. On current dev/prod this may be masked by docker network isolation, but it's a landmine for any docker-compose port mapping. **Recommendation:** Change `oracle/config.py:56` default from `"8083"` to `"8086"` (next available after ibkr_ws's 8085). Update `Dockerfile.oracle` EXPOSE to 8086. ~5 min. --- ### [DEP] P2 (carried 4 weeks — 2026-05-17 → 2026-06-14): `requirements-oracle.txt` uses unpinned version ranges **Files:** `requirements-oracle.txt` **Evidence:** ``` numpy>=1.24 pandas>=2.0 psycopg2-binary>=2.9 redis>=5.0 requests>=2.31 ``` All other requirements files (`requirements.txt`, `requirements-ibkr_ws.txt`, `requirements-poly_ws.txt`) use `==` pins. The oracle sidecar is the only exception. A `pip install` today could pull `pandas 3.1` or `numpy 3.x` with breaking API changes. **Recommendation:** Pin to currently-resolved versions. Run on the dev oracle container: `pip freeze | grep -E "numpy|pandas|psycopg2|redis|requests"` and hard-pin the output. ~5 min. --- ### [DOC] P2 (carried 4 weeks — 2026-05-17 → 2026-06-14): CLAUDE.md Architecture section stale (line counts + Polygon contradiction) **Files:** `CLAUDE.md:6-11`, `CLAUDE.md:74-83` **Evidence:** ``` CLAUDE.md:6: "bot.py ~10K lines" → actual: 20,646 lines (bot.py) + 12,207 lines (pages.py) CLAUDE.md:74-83: "Polygon data layer — dev uses Polygon.io for bars + real-time prices" + "Production: IBKR for everything (no env var set)" ``` The Polygon "dev-only" description directly contradicts CLAUDE.md's own RVOL Policy section which states "active on both dev + prod." Code confirms `POLYGON_API_KEY` gates RVOL on both environments; `USE_POLYGON_DATA=true` is also prod-deployed per Architecture section. The "dev-only" framing is wrong. Also still absent from the Architecture section: oracle sidecar, poly_ws sidecar, ibkr_ws sidecar, Day/Tone page, tape scanner, ENGINE selector. **Recommendation (15 min):** 1. `CLAUDE.md:6`: update to "bot.py ~21K lines, pages.py ~12K lines" 2. Remove the Polygon "Production: IBKR for everything" line 3. Add sidecar sentence to Architecture: "Sidecars: oracle (regime), poly_ws (Polygon WS), ibkr_ws (IBKR WS) — each with its own Dockerfile.{name} and requirements-{name}.txt" --- ### [DOC] P2 (carried 4 weeks — 2026-05-17 → 2026-06-14): Friday EOD entry cutoff absent from CLAUDE.md Entry Time Blockers **Files:** `CLAUDE.md:39-52`, `bot.py:4552-4558` **Evidence:** ```python # bot.py:4552-4558 if now_et.weekday() == 4 and t_min >= 15 * 60: # 15:00 ET = 12:00 PT self._log_activity(sym, "FRI CUTOFF: no new entries Friday after 12:00 PM PT", "block") return ``` The CLAUDE.md "Net effect" line says "RSI extreme runs RTH 07:00-13:00 PT always" — implying Friday PM is open. It isn't; the 12:00 PT Friday cutoff blocks all triggers including RSI extreme. **Recommendation:** Add row to Entry Time Blockers table: ``` | Fri 12:00 PT (15:00 ET) onward | all entries blocked (weekend gap risk) | ALL triggers | ``` --- ### [DOC] P2 (carried 4 weeks — 2026-05-17 → 2026-06-14): `TV_BXT_RTH_ONLY` flag name no longer describes its behavior **Files:** `bot.py:4047-4065`; `docs/strategy_decisions.md` **Evidence:** ```python # bot.py:4047-4048: # TV_BXT_RTH_ONLY=true (dev opt-in, kept name for compat): block NEW # entries outside the active session — pre-market + RTH = 04:00-16:00 ET ``` Flag name implies "RTH only" (09:30-16:00 ET). Actual behavior allows pre-market (04:00-09:30 ET). The code comment acknowledges the mismatch but the docs don't. `strategy_decisions.md` entry still describes it as "gate entries to 09:30-16:00 ET." **Recommendation:** Rename to `TV_BXT_SESSION_ONLY` with search-replace across bot.py + strategy_decisions.md, or add a clarifying CLAUDE.md note. Either way fix strategy_decisions.md description. --- ### [DOC] P2 (new — 2026-06-14): Day page hardcodes stale Claude model ID; UI label mismatches **Files:** `bot.py:12114`, `pages.py:6246` **Evidence:** ```python # bot.py:12114 (api_day_analyze, NDJSON streaming path): model="claude-sonnet-4-5-20250929", ``` ```js // pages.py:6246 (Sydnee chat card header): html += '<span class="model">claude-sonnet-4-5</span>'; ``` The current Sonnet generation is `claude-sonnet-4-6` (model ID: `claude-sonnet-4-6`). `claude-sonnet-4-5-20250929` is two generations behind. The Day page is the most user-visible AI surface — it streams to the dashboard on every page open. The UI label also shows the stale version to any user who inspects the card header. **Impact:** Using an older model costs the same API tokens but produces lower-quality analysis. If Anthropic deprecates `claude-sonnet-4-5-20250929`, the Day page silently falls back to the CLI path (`_call_sydnee`) with no streaming. **Recommendation:** Update `bot.py:12114` to `model="claude-sonnet-4-6"` and `pages.py:6246` to `claude-sonnet-4-6`. Two lines. --- ### [DOC] P2 (new — 2026-06-14): `CHANGELOG.md [Unreleased]` still empty — now 90 commits behind **Files:** `CHANGELOG.md` **Evidence:** ``` ## [v1.1] - 2026-04-13 ## [Unreleased - dev branch] ← no entries ``` This week alone: 43+