- Max drawdown was double-broken: the backend built the equity curve on a
hardcoded $10k baseline (understating a small account's drawdown ~20x) and
the frontend multiplied the already-percent value by 100 again (0.87% shown
as -86.9%). The curve now starts from the trader's real initial balance
(10k fallback when unknown) and the UI renders the percent once; the demo
engine and type docs are aligned to percent semantics.
- Header now separates equity-based 'Total P/L (incl. unrealized)' from
'Realized P/L (closed trades)' so it no longer contradicts profit factor /
win rate, and the stats strip shows the fee-drag chain
(gross - fees = net) plus a per-trade-labelled sharpe.
- Risk radar read a non-existent account field (total_unrealized_profit) so
unrealized PnL always showed $0; small PnLs also render with cents now.
- Nav 'Connect Hyperliquid' turns into a green connected chip when the server
already holds a fully-authorized exchange, instead of nagging forever from
a browser without the localStorage flow state.
Live verification of the relaunch (update) branch surfaced this: the update
response omitted is_running, so the launcher fired a redundant start that got
400 'Trader is already running', showing an error toast and skipping the
dashboard navigation even though the relaunch succeeded.
- PUT /traders/:id now reports is_running (a running trader is restarted with
the new config, so it stays running).
- The already-running rejection carries error_key trader.start.already_running
and the shared launcher treats it as success (launch is idempotent).
- POST /api/launch/preflight and GET /api/traders/:id/preflight run every
launch prerequisite (AI model credential, claw402 wallet key + Base USDC
balance, strategy, exchange config, live account state, funding minimums)
and return a structured checklist with stable codes; minimums (1 USDC AI
fee / 12 USDC trading) now live server-side and are exposed in the response.
- POST /traders/:id/start enforces the preflight (400 with error_key
trader.start.preflight_failed + full checklist; ?force=true to override).
Funding gates use max(available, equity) so restarting a bot with deployed
margin is not blocked; indeterminate probes (RPC outage) degrade to
warnings instead of blocking.
- Run loop now surfaces runtime health via GetStatus: safe_mode(+reason) and
ai_wallet_status/balance (ok|low|empty|unknown), including typed detection
of claw402 ErrInsufficientFunds instead of burying it in logs; safe-mode
state is mutex-guarded for API readers.
- Onboarding wallet endpoints switch to the cached, error-aware balance query
and report balance_status so the UI can tell an RPC outage from an empty
wallet.
- /api/ai500 returned a success/data envelope but the web httpClient
wraps the raw body as data, so the panel read coins as undefined and
showed the empty state; return a flat {coins,count} body like
/api/symbols
- the agent rendered AI500 rankings as a markdown table that the chat
UI flattens into an unreadable line: tool note + system prompt now
mandate numbered lists (one coin per line) and ban tables outright
- provider/nofxos: GetAI500ListCached — 5min TTL cache with stale
fallback on upstream failure; ResolveClient routes through the claw402
gateway when a wallet key is configured (user's claw402 model key ->
CLAW402_WALLET_KEY env -> direct nofxos)
- new GET /api/ai500 endpoint serving the score-sorted board
- new get_ai500_list agent tool + prompt rule: when the user wants coin
picks or creates a strategy without naming coins, consult AI500's
high-scoring entries by default
- web: AI500 sidebar panel (rank, score badge, gain since entry,
5min auto-refresh); clicking an entry asks the agent to analyze it
Address multiple vulnerabilities found during security review:
- Remove unauthenticated POST /api/crypto/decrypt decryption oracle (route,
handler, dead frontend helper) + regression test. Transport encryption is
one-directional; the server never needs to decrypt arbitrary client payloads.
- Redact secrets in config-update logs: handler_ai_model/handler_exchange logged
%+v of decrypted requests, leaking API keys / secret keys / passphrases /
private keys. Use named types shared with the log sanitizer so the masking
can never drift again; extend masking to passphrase + lighter_api_key_private_key.
- crypto: require a valid timestamp in DecryptPayload (a missing ts previously
skipped replay protection entirely).
- crypto: EncryptedString.Value() now fails closed instead of silently
persisting plaintext secrets when encryption errors.
- auth: per-IP token-bucket rate limiting on /login and /register against online
brute-force; raise registration password minimum 6 -> 8; add dummy bcrypt
compare on unknown-email login to close the user-enumeration timing channel.
- IDOR: getTraderFromQuery no longer falls back to the global in-memory trader
map; trader access is strictly scoped to the authenticated caller.
- Bump Go 1.25.10 -> 1.25.11 to resolve reachable net/textproto and crypto/x509
stdlib advisories (govulncheck now reports 0 affecting vulnerabilities).
Unauthenticated POST /api/reset-password and /api/reset-account were a
remotely exploitable auth-bypass on public-facing deployments. The confirm
phrase was embedded in the frontend and echoed back by the API, so it was
friction, not authentication: anyone who knew the account email could reset
the password, log in, and obtain a valid JWT.
Recovery now runs as local CLI commands that operate directly on the database
without starting the HTTP server:
nofx reset-password --email you@example.com
nofx reset-account
These require shell/file access to the host, which a remote attacker does not
have, so recovery stays safe even when NOFX is exposed to the public internet.
- cli.go: new reset-password / reset-account subcommands (hidden password
input on a TTY, --password/stdin for scripting, min 8 chars)
- main.go: dispatch subcommands before the server starts (backward compatible
with the legacy `nofx <dbpath>` arg)
- api: remove public /reset-password and /reset-account routes, their handlers,
and the public confirm-phrase constants
- web: replace the self-service reset form with CLI instructions; drop the
AuthContext resetPassword call and the LoginPage reset-account call (en/zh/id)
- telegram: refresh the bot allowlist comment
The Hyperliquid wallet-connect flow signs configuration values that
must match what the server expects and what the order placement layer
sends on-chain. The same constants live in four call sites:
- trader/hyperliquid/trader.go (used at order placement)
- api/handler_hyperliquid_wallet.go (returned by the connect endpoint
and validated on submit)
- web/src/components/common/HyperliquidWalletConnect.tsx
(signed by the user during connect)
- trader/hyperliquid/builder_fee_test.go
(pins the trader-side value)
Refresh all four together so the surfaces stay in lockstep.
- config: require JWT_SECRET >=32 bytes and reject the historical
default fallback; MustInit aborts startup under an insecure config
- api: CORS now uses CORS_ALLOWED_ORIGINS allowlist with safe
localhost defaults instead of returning Access-Control-Allow-Origin: *
- api: /api/reset-password and /api/reset-account stay public so
recovery still works, but require an explicit confirm phrase in the
body to block accidental and drive-by triggers
- api: drop adoptOrphanRecords so wiping the account no longer hands
the next registrant the previous owner's wallet keys and exchange
API credentials
- api: getTraderFromQuery now does a soft ownership check; equity-history
is restricted to traders with show_in_competition=true and
GetOrderFills joins on trader_id
- telegram: bot api_request tool uses a default-deny method+path
allowlist so prompt injection cannot reach password, exchange key,
AI provider or wallet endpoints
- ci: drop @master / @main on trivy-action and trufflehog; pin to
released versions with a TODO to move to SHA + Dependabot
- web: reset flows send the required confirm phrase; "Forgot account"
copy (en/zh/id) warns that wallet and exchange keys will be lost
- docker-compose: keep ./.env mount for onboarding wallet persistence
with an inline note on the tradeoff, drop the host-exposed pprof port
- Add Hyperliquid/XYZ symbol normalization tests and backend coverage
- Extend kline and market data lookup paths for US stock symbols
- Wire frontend data API types for stock-oriented market requests
Remove the old generic risk-profile defaults from the user strategy bootstrap path and replace them with concrete Hyperliquid USDC equity presets that can be selected directly when creating an AI trader.
Add three ready-to-run strategy presets: a volume-ranked US stock trend preset, a fixed mega-cap preset covering AAPL-USDC/MSFT-USDC/GOOGL-USDC/AMZN-USDC/META-USDC, and a gainers-ranked US stock breakout preset.
Normalize the presets to use Hyperliquid-native stock discovery instead of AI500/OI crypto-style sources, with conservative defaults for max positions, leverage, margin usage, confidence, risk-reward, and multi-timeframe indicators.
Make default strategy synchronization idempotent for existing users: remove obsolete unused legacy preset rows, backfill the new US stock presets, and avoid overriding an already active custom strategy.
Update the trader creation modal preview labels so Hyperliquid stock ranking and fixed US stock sources are described clearly when users select a strategy.
Add API tests covering the new preset set, legacy preset cleanup, idempotent sync behavior, and preservation of an existing active custom strategy.
Verified with: go test ./api ./store; npm run build; docker compose up -d --build nofx nofx-frontend; backend /api/health; frontend HTTP 200; compose health checks.
- Use PR branch (dev-nofxi) as authority for agent/ module code
- Merge dev's newer model names (MiniMax-M2.7, deepseek-v4-flash)
with PR's blockrun provider entries
- Fix duplicate agent init in main.go, keep defer-based Stop()
- Fix var type bug in store/ai_model.go (model → models)
- Remove dev-only test files incompatible with PR's evolved agent code
(to be re-synced after merge)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Move duplicated claw402 wallet resolution logic into store.AIModelStore.ResolveClaw402WalletKey
- api/strategy.go and manager/trader_manager.go now delegate to the shared method
- Add detailed doc comment on OKX SetMarginMode explaining the local-state-only approach
and why the legacy /api/v5/account/set-isolated-mode endpoint is not called
- Add 3 new test cases: cross mode leverage, OpenShort tdMode, SetTakeProfit tdMode
Google discontinued gemini-3-pro-preview on 2026-03-26 and directs all
callers to gemini-3.1-pro / gemini-3.1-pro-preview. Users on their own
API key were getting errors from the native Gemini endpoint because the
provider default pointed at the retired ID. Claw402 was unaffected
because its route map already used gemini-3.1-pro.
Align both the native provider default and the handler's preset list
with gemini-3.1-pro so every code path sends a live model ID.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Refactored the strategy handling logic to encapsulate claw402 wallet key retrieval in a new method, `resolveStrategyDataWalletKey`. This improves code readability and maintains consistent error handling for missing or invalid wallet keys during strategy test runs. The changes enhance the overall robustness of the AI model integration.
Added validation for the claw402 model's wallet key during strategy test runs. If the selected AI model is claw402, the server now checks for a valid wallet key and returns appropriate error messages if it's missing or if the model fails to load. This ensures better error handling and user feedback when working with AI models.
Add account reset functionality for users who forgot their login credentials.
The reset clears authentication data while preserving wallet private keys and
exchange configs, which are automatically adopted by the new account on
re-registration to prevent fund loss.
- Add POST /api/reset-account endpoint
- Add "Forgot account?" button on login page (zh/en/id)
- Orphan ai_models and exchanges are re-assigned to new user on register
- Onboarding reuses existing claw402 wallet instead of generating new one
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat: implement exchange account state management and UI updates
- Added functionality to invalidate exchange account state cache on exchange config updates, creation, and deletion.
- Introduced new API endpoint to fetch exchange account states.
- Updated frontend components to display exchange account states, including status and balance information.
- Enhanced user experience by refreshing exchange account states after relevant actions.
* feat: enhance trader creation readiness in AITradersPage and BeginnerGuideCards
---------
Co-authored-by: Dean <afei.wuhao@gmail.com>
- Pass `lang` from register request body to createDefaultStrategies
- Support zh/en/id locales for strategy names and descriptions
- Wrap strategy creation in a transaction to prevent partial writes
- Frontend sends current UI language in register request body
- Strategy list UI: 2-line clamp, unselected border, larger spacing, smaller font for non-zh
* feat: enforce strategy limits to prevent token overflow
* fix: tune token limits after real-world testing
- Relax kline max 20→30, timeframes 3→4 (tested ~41K tokens, safe under 131K)
- Restore ranking limits to original [5,10,15,20] options (only ~1.5K token impact)
- Add static coins limit (max 3) with toast notification
- Add timeframe limit toast when exceeding 4
- Log SSE token usage (prompt/completion/total) from API response
- Fix nil logger crash in claw402 data client (engine.go)
* feat: add token estimation functionality for strategy configurations
* feat: add discard changes button in Strategy Studio for unsaved modifications
* feat: retain selected strategy after saving in Strategy Studio
* feat: enhance strategy display in Strategy Studio with improved layout and sorting of token limits
* refactor: improve layout and styling of stats display in CompetitionPage
* refactor: replace select elements with NofxSelect component for improved consistency in strategy configuration forms
* style: update NofxSelect component to use smaller text size for improved readability
* feat: implement token overflow handling in strategy updates and UI
---------
Co-authored-by: Dean <afei.wuhao@gmail.com>
Remove the entire AI Debate Arena module (~5,300 lines) to simplify
the codebase. This removes the multi-AI debate trading decision system
including backend engine, API handlers, database store, frontend page,
navigation, translations, and documentation references.