Resolves 12 local advisories (3 high, 3 moderate, 6 low) with zero
direct-dep version changes — all within existing semver ranges:
- axios 1.13.6 -> 1.16.1 (SSRF via NO_PROXY bypass, prototype pollution
via validateStatus/parseReviver, CRLF injection in multipart bodies,
null byte injection in URLSearchParams)
- vite 6.4.1 -> 6.4.2 (high)
- lodash 4.17.23 -> 4.18.1 (high)
- postcss 8.5.6 -> 8.5.15 (moderate)
- plus the rest of the transitive graph
package.json is unchanged. tsc passes, frontend container rebuilds
cleanly, login page renders without console errors. Verified via
docker compose up -d --build nofx-frontend.
- LoginPage: two-column desktop layout with brand panel (status pill,
gradient headline, stats strip) and form panel; single-column mobile
layout with centered brand mark. Self-contained grid centering so
layout no longer depends on parent flex behavior. Drop the dead
OnboardingModeSelector (it belongs to SetupPage, not login) and add
loader spinner, animated submit arrow, and clearer error banner.
- StrategyMarketPage: replace the 560-line bespoke marketplace with a
branded handoff to vergex.trade/explore. Direct iframe embedding is
currently blocked by vergex's X-Frame-Options: SAMEORIGIN and
frame-ancestors 'self', and there is no way to reliably detect the
block from JavaScript (load event fires for the browser error page,
contentWindow.location throws SecurityError in both success and
failure). The component now renders a centered card with the
POWERED BY VERGEX.TRADE pill, headline, description, gold CTA, and
a stats row, with all three supported languages.
- .gitignore: exclude .gstack/ (local security audit reports).
- config: require JWT_SECRET >=32 bytes and reject the historical
default fallback; MustInit aborts startup under an insecure config
- api: CORS now uses CORS_ALLOWED_ORIGINS allowlist with safe
localhost defaults instead of returning Access-Control-Allow-Origin: *
- api: /api/reset-password and /api/reset-account stay public so
recovery still works, but require an explicit confirm phrase in the
body to block accidental and drive-by triggers
- api: drop adoptOrphanRecords so wiping the account no longer hands
the next registrant the previous owner's wallet keys and exchange
API credentials
- api: getTraderFromQuery now does a soft ownership check; equity-history
is restricted to traders with show_in_competition=true and
GetOrderFills joins on trader_id
- telegram: bot api_request tool uses a default-deny method+path
allowlist so prompt injection cannot reach password, exchange key,
AI provider or wallet endpoints
- ci: drop @master / @main on trivy-action and trufflehog; pin to
released versions with a TODO to move to SHA + Dependabot
- web: reset flows send the required confirm phrase; "Forgot account"
copy (en/zh/id) warns that wallet and exchange keys will be lost
- docker-compose: keep ./.env mount for onboarding wallet persistence
with an inline note on the tradeoff, drop the host-exposed pprof port
- Add 'Backed by vergex.trade' banner to English and all localized READMEs
- Sync 6 localized READMEs (zh-CN, ja, ko, ru, uk, vi) to match English structure
- Add missing sections: Screenshots, Deploy to server, Architecture, Sponsors
- Remove orphaned root-level README.ja.md (now lives in docs/i18n/ja/)
- Lead with global market coverage and exchange registration links
- Position Claw402 as automatic pay-as-you-go model access
- Update VergeX links and remove stale API docs reference
- Position NOFX around US stocks, commodities, forex, and crypto
- Update the README hero, feature summary, markets section, and architecture label
- Keep the copy affirmative and avoid defensive crypto-only comparisons
- Update landing, chart, settings, and data page copy for stock trading
- Adjust branding and translations around Hyperliquid positioning
- Extend frontend config types for the updated exchange settings
- Add stock symbol panel and agent chat page wiring
- Update onboarding and tool visibility for focused trader flows
- Tighten related tests around configuration and trader scope
- Extend strategy storage and engine analysis for Hyperliquid defaults
- Rework coin source and indicator editors for the stock strategy flow
- Update Strategy Studio translations and page wiring
- Add Hyperliquid/XYZ symbol normalization tests and backend coverage
- Extend kline and market data lookup paths for US stock symbols
- Wire frontend data API types for stock-oriented market requests
Remove the old generic risk-profile defaults from the user strategy bootstrap path and replace them with concrete Hyperliquid USDC equity presets that can be selected directly when creating an AI trader.
Add three ready-to-run strategy presets: a volume-ranked US stock trend preset, a fixed mega-cap preset covering AAPL-USDC/MSFT-USDC/GOOGL-USDC/AMZN-USDC/META-USDC, and a gainers-ranked US stock breakout preset.
Normalize the presets to use Hyperliquid-native stock discovery instead of AI500/OI crypto-style sources, with conservative defaults for max positions, leverage, margin usage, confidence, risk-reward, and multi-timeframe indicators.
Make default strategy synchronization idempotent for existing users: remove obsolete unused legacy preset rows, backfill the new US stock presets, and avoid overriding an already active custom strategy.
Update the trader creation modal preview labels so Hyperliquid stock ranking and fixed US stock sources are described clearly when users select a strategy.
Add API tests covering the new preset set, legacy preset cleanup, idempotent sync behavior, and preservation of an existing active custom strategy.
Verified with: go test ./api ./store; npm run build; docker compose up -d --build nofx nofx-frontend; backend /api/health; frontend HTTP 200; compose health checks.
Clarify the rationale for not injecting conversation history in the
legacy loop comment, and extract plannerToolDomainForText result into
a named variable for readability.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add missing .nofx-glass CSS class (used in 20+ places but undefined)
- Fix Input component referencing undefined --brand-black/--brand-light-gray
- Unify background colors to #0B0E11 (was 3 different near-blacks)
- Switch body font from IBM Plex Mono to Inter for readability
- Improve chat bubble contrast (bg 0.03→0.05, border 0.05→0.08)
- Brighten timestamp (#2c2c42→#5a5a72) and disclaimer (#1e1e32→#4a4a62)
- Unify ::selection color to gold (was orange)
- Remove global button:hover translateY that conflicted with active:scale
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Remove conversation history injection from thinkAndActLegacyWithStore.
Previously, the legacy loop appended all prior Q&A turns, causing the
LLM to re-answer topics from earlier conversations (e.g. strategy data
leaking into a wallet balance question). Each legacy-loop call is now
treated as a standalone request with domain-filtered tools.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Root cause: when planner fails (402 payment), legacy loop dumps all system
context to LLM which outputs everything. Also final response prompt was too
weak — LLM treated all observations as required output.
Changes:
- Strengthen system prompt: "answer ONLY what user asked", no tables/tutorials
unless requested, no self-intro repeats, no "next step" suggestions
- Add compact observation summary for final response (step summaries only,
no raw JSON blobs)
- Domain-filtered tool selection in legacy loop to prevent over-fetching
- Fix domain routing: "钱包/wallet" → account domain (not model), with
exchange configs included for wallet context
- Widen wallet fast-path: no longer requires "claw402" keyword
- Anti-repetition instructions in planner step selector
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Agent now uses mcp.NewAIClientByProvider() for claw402 provider, ensuring
x402 payment signing works correctly instead of generic HTTP client
- Added ReasoningContent field to Message/LLMResponse structs and wired
serialization/parsing so DeepSeek thinking models work in multi-turn
- Added Beta badge to Agent nav tab in HeaderBar
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add NOFXi agent backend: central brain, planner runtime, skill routing,
memory/state handling, config validation, and action execution
- Add agent chat page with SSE streaming, step/status panels, and
user preferences
- Extend trader/model/exchange/strategy APIs and store for agent-driven
configuration
- Add stopCh guard in async maintenance goroutine to prevent leak on Stop()
- Add timeout context for trader diagnosis LLM calls
- Add TargetRef nil guards in all execute*Action handlers
- Add ensureHistory() for nil-safe history access
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Use PR branch (dev-nofxi) as authority for agent/ module code
- Merge dev's newer model names (MiniMax-M2.7, deepseek-v4-flash)
with PR's blockrun provider entries
- Fix duplicate agent init in main.go, keep defer-based Stop()
- Fix var type bug in store/ai_model.go (model → models)
- Remove dev-only test files incompatible with PR's evolved agent code
(to be re-synced after merge)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add nil checks for session.TargetRef in all four execute*Action
handlers (Trader/Exchange/Model/Strategy) to prevent panic on
corrupted sessions; bulk-delete and query actions are excluded
- Add ensureHistory() helper and call it in runPlannedAgentWithContextMode
to prevent nil panic when history is not initialized
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add stopCh check in runPostResponseMaintenanceAsync to respect agent
shutdown, preventing goroutine leak on Agent.Stop()
- Replace bare context.Background() in handleTraderDiagnosisSkill with
a 30s timeout context for proper deadline propagation
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
All conflicts were in frontend files where main had beginner-mode features
(BeginnerGuideCards, Claw402 balance alerts, mode switcher, actionable error
helpers) that dev intentionally simplified. Kept dev's version in every case.
Removed unused navigate import in SettingsPage after conflict resolution.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add nil checks for session.TargetRef in all four execute*Action handlers
(Trader/Exchange/Model/Strategy) to prevent panic on corrupted sessions;
actions that don't need a target (query/query_list/create) are excluded.
- Fix toast.success indentation in handleToggleTrader so success messages
only fire when the API call actually succeeds.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Fix Stop() race condition using sync.Once
- Add ensureHistory() to prevent nil panic in planner/dispatcher
- Add bounds check on trader ID slicing
- Log saveExecutionState and clearSetupState errors instead of discarding
- Remove always-true modelID condition in onboard setup
- Add Chinese setup keywords and expand model name aliases
- Strip max_tokens from claw402 requests to avoid thinking-model budget exhaustion
- Hide Agent nav tab (Beta) pending merge to main
- Sync tests with code changes
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* feat(payment): add new DeepSeek V4 models to claw402 endpoints and pricing
- Introduced "deepseek-v4-flash" and "deepseek-v4-pro" endpoints in claw402ModelEndpoints.
- Updated modelPrices to include pricing for the new DeepSeek V4 models.
- Added model constants for the new DeepSeek V4 models in the trader component.
* refactor(claw402): update default model to deepseek-v4-flash across components
- Changed the default model for Claw402 from "glm-5" to "deepseek-v4-flash" in multiple files, including the AI model handler and onboarding logic.
- Updated model constants and configurations in the trader component to reflect the new default model.
- Enhanced the model configuration modal to accommodate the new default model setting.
---------
Co-authored-by: Dean <afei.wuhao@gmail.com>
- Introduced "deepseek-v4-flash" and "deepseek-v4-pro" endpoints in claw402ModelEndpoints.
- Updated modelPrices to include pricing for the new DeepSeek V4 models.
- Added model constants for the new DeepSeek V4 models in the trader component.
Co-authored-by: Dean <afei.wuhao@gmail.com>
1. Prevent double-close panic on Stop() by using sync.Once in Scheduler,
Brain, and Sentinel; remove duplicate Stop() call in main.go
2. Add trade quantity (100k) and leverage (125x) sanity caps to prevent
LLM hallucinations or input errors from reaching the exchange
3. Mask secrets in onboarding setup state — only store "****" markers in
SystemConfig instead of plaintext API keys/secrets
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
