feat: platform overhaul — indigo design system, Command Palette, Approval Drawer, Toast

.env.example

@@ -33,3 +33,12 @@ JWT_SECRET=your-secret-key-at-least-32-chars
 BROKER_KEY_ENCRYPTION_KEY=0000000000000000000000000000000000000000000000000000000000000000
 DEMO_USERNAME=admin
 DEMO_PASSWORD=changeme
+
+# LLM Provider (claude | openai)
+QUANTPILOT_LLM_PROVIDER=claude
+QUANTPILOT_LLM_MODEL=
+ANTHROPIC_API_KEY=
+OPENAI_API_KEY=
+
+# Mock data (true = use synthetic data, false = use Alpaca)
+QUANTPILOT_USE_MOCK_DATA=false

apps/api/package.json

@@ -7,6 +7,7 @@
   },
   "dependencies": {
     "@hono/node-server": "^1.19.14",
+    "@quantpilot/llm-provider": "*",
     "hono": "^4.12.12",
     "jose": "^6.2.2"
   }

apps/api/src/app/routes/hono/execution-hono-router.ts

@@ -21,7 +21,7 @@ import {
   listExecutionPlans,
   listExecutionRuntimeEvents,
 } from '../../../domains/execution/services/query-service.js';
-import { hasPermission, writeForbiddenJson } from '../../../modules/auth/service.js';
+import { hasPermission } from '../../../modules/auth/service.js';
 
 function requireApproval(c, action = '') {
   if (!hasPermission('execution:approve')) {

apps/api/src/app/routes/routers/agent-router.ts

@@ -70,28 +70,31 @@ export async function handleAgentRoutes({ req, reqUrl, res, readJsonBody, writeJ
 
   if (req.method === 'POST' && reqUrl.pathname === '/api/agent/tools/execute') {
     const body = await readJsonBody(req);
-    const result = executeAgentTool(body);
+    const result = await executeAgentTool(body);
     writeJson(res, result.ok ? 200 : 403, result);
     return true;
   }
 
+  // LLM-powered intent parsing (now async)
   if (req.method === 'POST' && reqUrl.pathname === '/api/agent/intent') {
     const body = await readJsonBody(req);
-    const result = parseAgentIntent(body);
+    const result = await parseAgentIntent(body);
     writeJson(res, result.ok ? 200 : 400, result);
     return true;
   }
 
+  // LLM-powered plan creation (now async)
   if (req.method === 'POST' && reqUrl.pathname === '/api/agent/plans') {
     const body = await readJsonBody(req);
-    const result = createAgentPlan(body);
+    const result = await createAgentPlan(body);
     writeJson(res, result.ok ? 200 : 400, result);
     return true;
   }
 
+  // LLM-powered analysis with tool-use loop (now async)
   if (req.method === 'POST' && reqUrl.pathname === '/api/agent/analysis-runs') {
     const body = await readJsonBody(req);
-    const result = runAgentAnalysis(body);
+    const result = await runAgentAnalysis(body);
     writeJson(res, result.ok ? 200 : 400, result);
     return true;
   }

apps/api/src/app/routes/routers/risk-router.ts

@@ -1,6 +1,11 @@
 // @ts-nocheck
 
 import { getRiskEvent, listRiskEvents } from '../../../domains/risk/services/feed-service.js';
+import {
+  getRiskParameters,
+  resetRiskParameters,
+  updateRiskParameters,
+} from '../../../domains/risk/services/parameters-service.js';
 import { runRiskPolicyAction } from '../../../domains/risk/services/policy-action-service.js';
 import { getRiskWorkbench } from '../../../domains/risk/services/workbench-service.js';
 import { writeForbiddenJson } from '../../../modules/auth/permission-catalog.js';
@@ -10,6 +15,32 @@ export async function handleRiskRoutes({ req, reqUrl, res, readJsonBody, writeJs
   const writeForbidden = (permission, action = '') =>
     writeForbiddenJson(writeJson, res, permission, action);
 
+  if (req.method === 'GET' && reqUrl.pathname === '/api/risk/parameters') {
+    writeJson(res, 200, { ok: true, parameters: getRiskParameters() });
+    return true;
+  }
+
+  if (req.method === 'POST' && reqUrl.pathname === '/api/risk/parameters') {
+    if (!hasPermission('risk:review')) {
+      writeForbidden('risk:review', 'update risk parameters');
+      return true;
+    }
+    const body = await readJsonBody(req);
+    const updated = updateRiskParameters(body);
+    writeJson(res, 200, { ok: true, parameters: updated });
+    return true;
+  }
+
+  if (req.method === 'POST' && reqUrl.pathname === '/api/risk/parameters/reset') {
+    if (!hasPermission('risk:review')) {
+      writeForbidden('risk:review', 'reset risk parameters');
+      return true;
+    }
+    const reset = resetRiskParameters();
+    writeJson(res, 200, { ok: true, parameters: reset });
+    return true;
+  }
+
   if (req.method === 'GET' && reqUrl.pathname === '/api/risk/events') {
     writeJson(res, 200, { ok: true, events: listRiskEvents() });
     return true;

apps/api/src/app/routes/routers/trading-router.ts

@@ -3,7 +3,6 @@
 import { controlPlaneRuntime } from '../../../../../../packages/control-plane-runtime/src/index.js';
 import { assessExecutionCandidate } from '../../../domains/risk/services/assessment-service.js';
 import { getStrategyCatalogItem } from '../../../domains/strategy/services/catalog-service.js';
-import { buildStrategyExecutionCandidate } from '../../../domains/strategy/services/execution-candidate-service.js';
 import { writeForbiddenJson } from '../../../modules/auth/permission-catalog.js';
 import { hasPermission } from '../../../modules/auth/service.js';