feat: platform upgrade — 10 optimization directions

.env.example

@@ -27,3 +27,9 @@ ALPACA_DATA_FEED=iex
 # file | db
 QUANTPILOT_CONTROL_PLANE_ADAPTER=file
 QUANTPILOT_CONTROL_PLANE_NAMESPACE=control-plane
+
+# Auth (JWT + Broker Key Encryption)
+JWT_SECRET=your-secret-key-at-least-32-chars
+BROKER_KEY_ENCRYPTION_KEY=0000000000000000000000000000000000000000000000000000000000000000
+DEMO_USERNAME=admin
+DEMO_PASSWORD=changeme

.gitignore

@@ -35,3 +35,4 @@ npm-debug.log*
 
 # Testing
 coverage/
+.quantpilot/

apps/api/package.json

@@ -4,5 +4,10 @@
   "type": "module",
   "scripts": {
     "dev": "node src/main.mjs"
+  },
+  "dependencies": {
+    "@hono/node-server": "^1.19.14",
+    "hono": "^4.12.12",
+    "jose": "^6.2.2"
   }
 }

apps/api/src/app/hono-app.ts

@@ -0,0 +1,30 @@
+// @ts-nocheck
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import { logger } from 'hono/logger';
+import { timing } from 'hono/timing';
+
+export function createHonoApp() {
+  const app = new Hono();
+
+  app.use(
+    '*',
+    cors({
+      origin: '*',
+      allowMethods: ['GET', 'POST', 'DELETE'],
+      allowHeaders: ['Content-Type', 'Authorization'],
+    })
+  );
+
+  app.use('*', logger());
+  app.use('*', timing());
+
+  app.onError((err, c) => {
+    console.error('[hono-gateway]', err.message);
+    return c.json({ ok: false, message: err.message }, 500);
+  });
+
+  app.notFound((c) => c.json({ ok: false, message: 'Not found' }, 404));
+
+  return app;
+}

apps/api/src/app/routes/hono/execution-hono-router.ts

@@ -0,0 +1,165 @@
+// @ts-nocheck
+import { Hono } from 'hono';
+import {
+  approveExecutionPlan,
+  bulkOperateExecutionPlans,
+  cancelExecutionPlan,
+  compensateExecutionPlan,
+  ingestBrokerExecutionEvent,
+  reconcileExecutionPlan,
+  recoverExecutionPlan,
+  settleExecutionPlan,
+  syncExecutionPlan,
+} from '../../../domains/execution/services/lifecycle-service.js';
+import {
+  getExecutionPlanDetail,
+  getExecutionWorkbench,
+  getLatestBrokerAccountSnapshot,
+  listBrokerAccountSnapshots,
+  listBrokerExecutionEvents,
+  listExecutionLedger,
+  listExecutionPlans,
+  listExecutionRuntimeEvents,
+} from '../../../domains/execution/services/query-service.js';
+import { hasPermission, writeForbiddenJson } from '../../../modules/auth/service.js';
+
+function requireApproval(c, action = '') {
+  if (!hasPermission('execution:approve')) {
+    return c.json(
+      { ok: false, message: `Permission 'execution:approve' required to ${action}` },
+      403
+    );
+  }
+  return null;
+}
+
+export function createExecutionHonoRouter() {
+  const router = new Hono();
+
+  router.get('/plans', (c) => {
+    return c.json({ ok: true, plans: listExecutionPlans() });
+  });
+
+  router.get('/workbench', (c) => {
+    return c.json(getExecutionWorkbench());
+  });
+
+  router.post('/plans/bulk', async (c) => {
+    const denied = requireApproval(c, 'run bulk execution actions');
+    if (denied) return denied;
+    const body = await c.req.json();
+    const result = bulkOperateExecutionPlans(body);
+    return c.json(result, result.ok ? 200 : 400);
+  });
+
+  router.get('/plans/:planId', (c) => {
+    const planId = c.req.param('planId');
+    const detail = getExecutionPlanDetail(planId);
+    return detail
+      ? c.json({ ok: true, ...detail })
+      : c.json({ ok: false, message: 'execution plan not found' }, 404);
+  });
+
+  router.get('/runtime', (c) => {
+    return c.json({ ok: true, events: listExecutionRuntimeEvents() });
+  });
+
+  router.get('/account-snapshots', (c) => {
+    return c.json({ ok: true, snapshots: listBrokerAccountSnapshots() });
+  });
+
+  router.get('/account-snapshots/latest', (c) => {
+    return c.json({ ok: true, snapshot: getLatestBrokerAccountSnapshot() });
+  });
+
+  router.get('/broker-events', (c) => {
+    const q = c.req.query;
+    return c.json({
+      ok: true,
+      events: listBrokerExecutionEvents(Number(q('limit') || 40), {
+        executionPlanId: q('executionPlanId') || '',
+        executionRunId: q('executionRunId') || '',
+        symbol: q('symbol') || '',
+        eventType: q('eventType') || '',
+      }),
+    });
+  });
+
+  router.get('/ledger', (c) => {
+    return c.json({ ok: true, entries: listExecutionLedger() });
+  });
+
+  router.post('/plans/:planId/approve', async (c) => {
+    const denied = requireApproval(c, 'approve execution plans');
+    if (denied) return denied;
+    const planId = c.req.param('planId');
+    const body = await c.req.json();
+    const result = approveExecutionPlan(planId, body);
+    return c.json(result, result.ok ? 200 : 409);
+  });
+
+  router.post('/plans/:planId/settle', async (c) => {
+    const denied = requireApproval(c, 'settle execution plans');
+    if (denied) return denied;
+    const planId = c.req.param('planId');
+    const body = await c.req.json();
+    const result = settleExecutionPlan(planId, body);
+    return c.json(result, result.ok ? 200 : 409);
+  });
+
+  router.post('/plans/:planId/sync', async (c) => {
+    const denied = requireApproval(c, 'sync execution plans');
+    if (denied) return denied;
+    const planId = c.req.param('planId');
+    const body = await c.req.json();
+    const result = syncExecutionPlan(planId, body);
+    return c.json(result, result.ok ? 200 : 409);
+  });
+
+  router.post('/plans/:planId/broker-events', async (c) => {
+    const denied = requireApproval(c, 'ingest broker execution events');
+    if (denied) return denied;
+    const planId = c.req.param('planId');
+    const body = await c.req.json();
+    const result = ingestBrokerExecutionEvent(planId, body);
+    return c.json(result, result.ok ? 200 : 409);
+  });
+
+  router.post('/plans/:planId/cancel', async (c) => {
+    const denied = requireApproval(c, 'cancel execution plans');
+    if (denied) return denied;
+    const planId = c.req.param('planId');
+    const body = await c.req.json();
+    const result = cancelExecutionPlan(planId, body);
+    return c.json(result, result.ok ? 200 : 409);
+  });
+
+  router.post('/plans/:planId/reconcile', async (c) => {
+    const denied = requireApproval(c, 'reconcile execution plans');
+    if (denied) return denied;
+    const planId = c.req.param('planId');
+    const body = await c.req.json();
+    const result = reconcileExecutionPlan(planId, body);
+    return c.json(result, result.ok ? 200 : 409);
+  });
+
+  router.post('/plans/:planId/compensate', async (c) => {
+    const denied = requireApproval(c, 'run execution compensation automation');
+    if (denied) return denied;
+    const planId = c.req.param('planId');
+    const body = await c.req.json();
+    const result = compensateExecutionPlan(planId, body);
+    return c.json(result, result.ok ? 200 : 409);
+  });
+
+  router.post('/plans/:planId/recover', async (c) => {
+    const denied = requireApproval(c, 'recover execution plans');
+    if (denied) return denied;
+    const planId = c.req.param('planId');
+    const body = await c.req.json();
+    const result = recoverExecutionPlan(planId, body);
+    return c.json(result, result.ok ? 200 : 409);
+  });
+
+  return router;
+}

apps/api/src/app/routes/platform-routes.ts

@@ -5,13 +5,17 @@ import { handleAuthRoutes } from './routers/auth-router.js';
 import { handleBacktestRoutes } from './routers/backtest-router.js';
 import { handleExecutionRoutes } from './routers/execution-router.js';
 import { handleHealthRoutes } from './routers/health-router.js';
+import { handleMarketRoutes } from './routers/market-router.js';
 import { handleMonitoringRoutes } from './routers/monitoring-router.js';
 import { handleOperationsRoutes } from './routers/operations-router.js';
 import { handleResearchRoutes } from './routers/research-router.js';
+import { handleSseRoutes } from './routers/sse-router.js';
 import { handleStrategyRoutes } from './routers/strategy-router.js';
+import { handleTradingRoutes } from './routers/trading-router.js';
 import { handleUserAccountRoutes } from './routers/user-account-router.js';
 
 const routers = [
+  handleSseRoutes,
   handleHealthRoutes,
   handleMonitoringRoutes,
   handleOperationsRoutes,
@@ -22,6 +26,8 @@ const routers = [
   handleBacktestRoutes,
   handleResearchRoutes,
   handleExecutionRoutes,
+  handleTradingRoutes,
+  handleMarketRoutes,
 ];
 
 export async function handlePlatformRoutes(context) {

apps/api/src/app/routes/routers/auth-router.ts

@@ -1,9 +1,14 @@
 // @ts-nocheck
-
+import { createHash } from 'node:crypto';
+import { signToken } from '../../../modules/auth/jwt-service.js';
 import { listPermissionDescriptors } from '../../../modules/auth/permission-catalog.js';
 import { getSession } from '../../../modules/auth/service.js';
 
-export function handleAuthRoutes({ req, reqUrl, res, writeJson }) {
+function sha256hex(value) {
+  return createHash('sha256').update(value).digest('hex');
+}
+
+export async function handleAuthRoutes({ req, reqUrl, res, readJsonBody, writeJson }) {
   if (req.method === 'GET' && reqUrl.pathname === '/api/auth/session') {
     writeJson(res, 200, getSession());
     return true;
@@ -14,5 +19,36 @@ export function handleAuthRoutes({ req, reqUrl, res, writeJson }) {
     return true;
   }
 
+  if (req.method === 'POST' && reqUrl.pathname === '/api/auth/login') {
+    const body = await readJsonBody(req);
+    const { username, password } = body || {};
+
+    const expectedUsername = process.env.DEMO_USERNAME ?? 'admin';
+    const expectedPasswordHash = sha256hex(process.env.DEMO_PASSWORD ?? 'changeme');
+
+    if (
+      typeof username !== 'string' ||
+      typeof password !== 'string' ||
+      username !== expectedUsername ||
+      sha256hex(password) !== expectedPasswordHash
+    ) {
+      writeJson(res, 401, { ok: false, message: 'Invalid credentials' });
+      return true;
+    }
+
+    const permissions = [
+      'dashboard:read',
+      'strategy:write',
+      'risk:review',
+      'execution:approve',
+      'account:write',
+    ];
+    const expiresIn = '8h';
+    const token = await signToken({ userId: username, permissions }, expiresIn);
+    const expiresAt = new Date(Date.now() + 8 * 60 * 60 * 1000).toISOString();
+    writeJson(res, 200, { ok: true, token, expiresAt });
+    return true;
+  }
+
   return false;
 }