Feat/code improvements

[cardosofede]

What changed

Security

• Default creds warning + debug bypass gated: app warns loudly when running with admin:admin; the debug_mode auth bypass now only works in non-production environments.
• CORS: configurable allowed origins instead of * + credentials.
• Path traversal hardening: account/connector names and archived-bot db_path are validated to stay inside their expected directories.

Correctness

• Per-instance (not shared) _last_known_prices.
• Accounts state is snapshotted before iterating (avoids mutation-during-iteration).
• MQTT teardown is awaited on orchestrator stop; recorder event tasks keep strong refs (no GC mid-flight).

Performance

• Account snapshots committed once per dump (not per row).
• Multi-account portfolio history in a single query; one DB session per connector in order sync; batched controller perf snapshots; demoted hot-path logging to debug.

Refactors (behavior-preserving)

• AccountsService god-class split apart → new gateway_wallet_service, perpetual_trading_service, portfolio_analytics_service (~1100 lines removed from the original).
• trading.py router and create_executor slimmed; shared pagination/cursor helpers extracted.

What to test for QA

1. Auth: login with real creds works; startup logs the default-credentials warning; debug bypass does NOT work when env=production.
2. CORS: configured origins accepted, others rejected; credentialed requests still work.
3. Path traversal: account/connector names and archived-bot endpoints reject ../ / absolute paths; valid names still work.
4. Accounts/portfolio: account state dump, balances, and multi-account portfolio history return correct data (these touched the biggest refactor — AccountsService split).
   Performance

• Account snapshots committed once per dump (not per row).
• Multi-account portfolio history in a single query; one DB session per connector in order sync; batched controller perf snapshots; demoted hot-path logging to debug.

Refactors (behavior-preserving)

• AccountsService god-class split apart → new gateway_wallet_service, perpetual_trading_service, portfolio_analytics_service (~1100 lines removed from the original).
• trading.py router and create_executor slimmed; shared pagination/cursor helpers extracted.

What to test for QA

1. Auth: login with real creds works; startup logs the default-credentials warning; debug bypass does NOT work when env=production.
2. CORS: configured origins accepted, others rejected; credentialed requests still work.
3. Path traversal: account/connector names and archived-bot endpoints reject ../ / absolute paths; valid names still work.
4. Accounts/portfolio: account state dump, balances, and multi-account portfolio history return correct data (these touched the biggest refactor — AccountsService split).
5. Gateway / perpetual / DEX wallet flows — they now live in new service modules; smoke-test the endpoints that use them.
6. Executors & trading: create/search/stop executors and the trading router endpoints behave identically.
7. Bots lifecycle: start/stop a bot, confirm MQTT shuts down cleanly with no dangling tasks.
8. Archived bots: list/read archived bots still works.

[rapcmia]

Commit Commit 60437ca

• Test PR using make setup; make deploy

Auth: login with real creds works; startup logs the default-credentials warning; debug bypass does NOT work when env=production.

• Test route with no auth, payload response not authenticated ok
• Test route with incorrect auth, payload response Incorrect username or password ok
• Test route with correct auth, returns needed payload response ok
• Test DEBUG_MODE=true, routes with no or incorrect auth
  • No auth still returns Not authenticated, meant that it still rejected on this test case ❌

    curl -s -X POST http://localhost:8000/portfolio/state \
        -H "Content-Type: application/json" -d '
      {
        "account_names": ["master_account"],
        "refresh": false
      }' | jq
    
    {
      "detail": "Not authenticated"
    }
    

---

CORS: configured origins accepted, others rejected; credentialed requests still work.

  curl -s -D - -o /dev/null -u admin:admin -X POST http://localhost:8000/portfolio/state \
    -H "Origin: http://localhost:3000" \
    -H "Content-Type: application/json" \
    -d '
  {
    "account_names": ["master_account"],
    "refresh": false
  }'

• Quick check what is CORS and how it works ok
• Tested with http://localhost:3000, returns access controller allow origin and credentials are localhost and true
• Test failed on CORS rejected-origin handling ❌
  • Tested whether /portfolio/state would block origins that should not be permitted, such as http://ralphwashere:36/ and 1:36
  • Sent authenticated requests with those Origin values and checked the response headers
  • It should pass by rejecting those origins and not returning Access-Control-Allow-Origin for them

    curl -s -D - -o /dev/null -u admin:admin -X POST http://localhost:8000/portfolio/state \
        -H "Origin: 1:36" \
        -H "Content-Type: application/json" \
        -d '
      {
        "account_names": ["master_account"],
        "refresh": false
      }'
      
      
    HTTP/1.1 200 OK
    date: Thu, 18 Jun 2026 14:44:04 GMT
    server: uvicorn
    content-length: 464
    content-type: application/json
    access-control-allow-origin: 1:36
    access-control-allow-credentials: true
    vary: Origin
    

---

Path traversal: account/connector names and archived-bot endpoints reject ../ / absolute paths; valid names still work.

• Test /accounts with a valid account name and confirm it works, ok
• Test archived-bot routes with a valid value and confirm they work,what ok
• Try bad inputs like ../ ❌ 
  • Observed this behavior same as main branch
  • Github issue created Archived bots - status route accepts traversal-style db_path instead of rejecting it #179

---

Todo: Test in progress

[rapcmia]

Commit 1402e47

• DEBUG_MODE has been removed
• Retest all and make sure image is set to local PR178
• Clone fresh version and test usign docker
• Start HAPI with condor main branch ok

Auth: login with real creds works; startup logs the default-credentials warning ✅

• Routes without auth, request rejected with payload response Not authenticated
• Routes with auth but incorrect credentials, payload response returned Incorrect username or password
• Routes with correct credentials, payload response returned requested data

---

CORS: configured origins accepted, others rejected; credentialed requests still work. ✅

• Test http://localhost/, returned 200 ok along with access-controller-allow-origin
• Test http://ralphwashere/, returned 200 but omitted access-controller-allow-origin
  • curl still gets 200 ok not does not enforce CORS

---

Path traversal: account/connector names and archived-bot endpoints reject ../ / absolute paths; valid names still work ✅

• Test archive-bot traversal rejection

  curl -s -u XXX:XXX 'http://localhost:8000/archived-bots/..%2F/status' | jq
  curl -s -u XXX:XXX 'http://localhost:8000/archived-bots/%2Ftmp%2Ftest/status' | jq
  curl -s -u XXX:XXX 'http://localhost:8000/archived-bots/..%2F%2F%2F%2Ftmp%2F%2F%2F%2Fx/status' | jq
  
  {
    "detail": "Path '../' is outside the archived bots directory"
  }
  {
    "detail": "Path '/tmp/test' is outside the archived bots directory"
  }
  {
    "detail": "Path '..////tmp////x' is outside the archived bots directory"
  }
  

  • GET /archived-bots/{db_path}/status now rejects traversal-style and path-style values with a clean error instead of attempting to open a SQLite path.
  • ..%2F, %2Ftmp%2Ftest, and ..%2F%2F%2F%2Ftmp%2F%2F%2F%2Fx all returned a clear "outside the archived bots directory" message.
• Test valid account and connector names
  • GET /accounts/master_account/credentials still works and returned configured connector names for the real account.
  • GET /connectors/binance/config-map still works and returned the expected config fields for a valid connector name.
• Test traversal-style account and connector names rejection

    curl -s -u XXX:XXX 'http://localhost:8000/accounts/..%2F/credentials' | jq
    curl -s -u XXX:XXX 'http://localhost:8000/accounts/%2Ftmp%2Ftest/credentials' | jq
    curl -s -u XXX:XXX 'http://localhost:8000/connectors/..%2F/config-map' | jq
    curl -s -u XXX:XXX 'http://localhost:8000/connectors/%2Ftmp%2Ftest/config-map' | jq
  
    {
      "detail": "Not Found"
    }
  

  • GET /accounts/..%2F/credentials and GET /accounts/%2Ftmp%2Ftest/credentials returned {"detail":"Not Found"}.
  • GET /connectors/..%2F/config-map and GET /connectors/%2Ftmp%2Ftest/config-map also returned {"detail":"Not Found"}.

---

Archived bots happy path: call /archived-bots to list databases, pick a real db_path from that response, then verify /status, /summary, /orders, /trades, and /controllers all still work with that valid path. ✅

• Deploy a bot, wait for filled orders then stop to archive
• GET /archived-bots/ returned a real archived bot database path.
• The listed db_path worked on /status, /summary, /orders, /trades, and /controllers.
• /status returned normal archived-bot metadata and table checks for the selected database.
• /summary returned expected aggregate data
• /orders returned records and /trades returned records with no pagination errors.
• /controllers returned controller record for the archived bot.

---

Portfolio routes: test /portfolio/state, /portfolio/history, and /portfolio/distribution for one account and for multiple accounts. Also verify cursor pagination and connector filters, since both the service split and history query

changes affect these routes. ✅

• Portfolio state and distribution for one account, ok
• Portfolio history cursor pagination, ok
• All-accounts route path with current environment, ok
• Portfolio history connector filtering ❌
  • This is observed on main branch so separate ticket created Portfolio history - connector filter is accepted but ignored in returned snapshots #180

---

Executors and trading flow: create an executor, confirm it appears in search, then stop it. If possible, also let one executor finish naturally. After that, verify it is persisted only once, active-order reconciliation still works ✅

• Executor search and stop flow, ok
• Active order clean up after executor stop, ok
• The exchange_order_id preserved in historical orders after stop, ok

---

Market data candles: test /market-data/candles and /market-data/historical-candles with valid inputs and with bad connector or trading-pair values, so we cover both validation errors and timeout-related behavior. ✅

• /market-data/candles returned real-time candle rows for a valid connector and trading pair
• /market-data/historical-candles returned historical candle rows for the same valid Binance market and time window
• Both candle routes returned clear API errors for an unsupported connector
• Both candle routes returned a fast invalid-symbol error for a bad trading pair instead of hanging
• No timeout behavior was observed in these invalid-input checks

---

Bot lifecycle: test bot start and stop routes, especially the ones that depend on BotsOrchestrator. Also verify shutdown is clean and no MQTT-related tasks are left hanging, because that part changed significantly. ✅

• Deployed a real pmm3-test01 bot, ok
• Verified it showed as running, then called stop-and-archive-bot
• Rechecked /bot-orchestration/status, /bot-orchestration/mqtt, and /archived-bots/ after allowing time for the background cleanup to finish, all ok

[rapcmia]

Commit ce8e1ea

• The latest commit now fix the connector_names on /portfolio/history and returns only the requested connector data
• This issue is now fixed on this commit Portfolio history - connector filter is accepted but ignored in returned snapshots #180

curl -s -u XXX:XXX -X POST http://localhost:8000/portfolio/history -H "Content-Type: application/json" -d '
  {
    "account_names": ["master_account"],
    "connector_names": ["gate_io"],
    "limit": 1,
    "interval": "5m"
  }' | jq

...trimmed
{
    "data": [
      {
        "timestamp": "2026-06-19T13:44:00+00:00",
        "state": {
          "master_account": {
            "gate_io": [
              { "token": "BTC" },
              { "token": "SOL" },
              { "token": "NOT" },
              { "token": "HYPE" },
              { "token": "GRAM" },
              { "token": "XRP" },
              { "token": "ETH" },
              { "token": "USDT" },
              { "token": "POLIS" },
              { "token": "TLOS" },
              { "token": "GT" }
            ]
          }
        }
      }
    ],
...trimmed