Twelfth pass: _maybe_close asyncio.run silently skips close from async
context (O1), _pick_live_symbol missing await crashes on coroutine iteration
(O3), _run() pool .result() no timeout — backend hang freezes process (O5),
KernelSlotView.__getattr__ N FFI calls for N fields no caching (O8),
DITAv2LauncherBundle no __del__ leaks resource tree (O9), ExecutionKernel
no close() — __del__ only cleanup (O10), __setattr__ triggers 5 persistence
side effects undocumented (O11). 254 total flaws.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
Eleventh pass: Rust kernel with_handle_mut has zero synchronization —
&mut KernelCore from raw pointer with no Mutex, concurrent FFI calls cause
UB (N1 Critical), _run() has two completely different code paths depending
on event loop state (N2 Critical), path B blocks event loop thread for
every HTTP operation (N3 Critical), asyncio.run() called repeatedly creating
destroying event loops per call (N4 Critical), _snapshot_ready Event cascading
re-fetch — N callers produce N overlapping HTTP calls (N5 High). 243 total.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
Tenth pass: ENTER transition always says prev_state=IDLE (M1 Critical), CANCEL
creates no transition record (M2 Critical), ORDER_REJECT on POSITION_OPEN with
stale entry order destroys position (M9 Critical), _mk_intent test helper drops
order_type/limit_price into metadata not proper field (M3 High), four test/s that
claim to test cancel but never cancel (M4, M17), no metric aggregation for trade
count/latency/slippage (M10 High), no ClickHouse INSERT retry (M12 High),
_decision_to_kernel_intent drops order_type/limit_price making LIMIT orders
dead from the runtime (M18 High). 233 total flaws.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
ExchangeFeeConfig in AccountState:
taker_rate, maker_rate, lot_step, tick_size, funding_interval_secs
calibration_ratio: EMA of actual/expected, updated on every fill
Kernel now predicts fees at fill time (PREDICTED_FILL event):
k_capital updated immediately without waiting for WS FILL_SETTLED
When actual fee arrives, prediction is replaced and ratio recalibrated
Reconcile delta: 0.000000 (was ~0.9 USDT in canary without prediction)
Calibration loop on connect():
Fetches recent fill history, validates model vs exchange actuals
deviation < 1pct -> OK; < 5pct -> WARN; >= 5pct -> ERROR (pre-trade gate)
New FFI: dita_kernel_set_exchange_config_json, dita_kernel_calibrate_fee_json
New ExecutionKernel methods: set_exchange_config(), calibrate_fee()
pink_direct.py: loads BingX fee config on connect, calibrates before stream
131/131 offline pass.
Ninth pass: VenueEvent.price=0 causes 100% PnL loss (L3), available_margin
set to wrong field in user stream (L4), wallet_balance defaults to 0 (L5),
14+ bugs fixed between backup and current code (L12), real pipeline never
tested by any test function (L13), no proxy support (L9), 5-min DNS cache
(L10). Backup diff reveals the current Rust kernel has ~14 bugs fixed vs
the backup version. 16 new flaws, 215 total.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
Eighth pass: system emits zero stdout/stderr, no health check or metrics (K1/K2 Critical),
failed trades invisible if caller ignores return value (K3), exception tracebacks all
swallowed (K4), circular ref cycle delays Rust handle destruction (K6), MemoryKernelJournal
silent data loss after 10K transitions (K7), RealZincPlane._intent_cache unbounded (K8),
_backend_snapshot timeout uses wall clock (K9), sys.path mutation on import (K20),
load_dotenv at import time (K21), 23 new flaws. 199 total.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
- I1 (Critical/Rust): apply_fill accumulated partial fills instead of
overwriting. WS events carry lastFilledQty (incremental); previous code
set slot.size = fill_size each time. Now accumulates via prev_filled.
initial_size set from intended_size on first fill, not from fill amount.
- G2 (Critical/Rust): into_c_string unwrap() panicked on any NUL byte in
serialized JSON. Now sanitizes NUL bytes before CString construction;
never panics.
- G3 (Critical/Rust): EXIT intent transition hardcoded prev_state=
POSITION_OPEN. Captured actual fsm_state before mutation so audit trail
is accurate when EXIT is received from non-standard states.
- I13 (High/Rust): stray venue event could reactivate a closed slot.
Added explicit slot.closed guard in on_venue_event — returns
TERMINAL_STATE with accepted=false before any FSM mutation.
- I18 (High/Python): sys.path.insert(0, ...) in real_zinc_plane.py and
real_control_plane.py gave Zinc adapter directory highest import
priority. Changed to sys.path.append() so existing path entries take
precedence.
35/35 offline tests pass.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sixth pass: entry-fill accumulation bug (multiple partial fills overwrite
size), crash durability (slot state lost between step 2-5 of process_intent),
seen_event_ids lost on restart (double event processing), idempotency gap
(no newClientOrderId), no graceful degradation, no startup reconcile from
Zinc, Zinc SHM world-readable, KernelSlotView unrestricted write access,
sys.path injection at import time. 22 new flaws. Combined catalog now 160.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
Rewrite PINK_DITAv2_FLAW_ANALYSIS_2026-05-31.md as the central registry
with combined catalog (A+T+E+F+G = 116 flaws), severity distribution, and
cross-references to the TRACE doc for deep E, F, G detail. Add reciprocal
cross-reference in TRACE doc header.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
Third and deepest pass across all module boundaries, data transforms, and
error paths. 30 new flaws found (F1-F30), including the highest-risk single
flaw: an unprotected on_venue_event loop that leaves slots unrecoverable on
any exception.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
Third and deepest pass across all module boundaries, data transforms, and
error paths. 30 new flaws found (F1-F30), including the highest-risk single
flaw: an unprotected on_venue_event loop that leaves slots unrecoverable on
any exception.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
Root cause (harness multi_leg, ~14-TRX residual): pink_direct rebuilds the legacy
TradePosition from the kernel slot every step, but left exit_leg_index=0, so
IntentEngine.next_exit_ratio() consumed ratio[0] (0.5) on EVERY leg and never
advanced to the final leg's 1.0:
leg1: 0.5×53 ≈ 26 closed -> 27 remain
leg2: 0.5×27 ≈ 13 closed -> 14 RESIDUAL (kernel believes flat, exchange isn't)
Fix: propagate the kernel slot's authoritative active_leg_index into the rebuilt
legacy position's exit_leg_index, so the intent engine consumes the correct leg
ratio. The final leg now closes the full remaining -> fully flattens.
Verified: offline 18 green (no regression); live VST harness multi_leg now closes
fully (XPASS) — residual gone, all 6 capital invariants hold. xfail mark removed;
capital-accounting battery is now fully green (7/7) on testnet.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Automated, parametrized scenario battery driving the REAL PINK runtime
(policy->intent->PinkDirectRuntime->kernel->BingX VST->persistence) via crafted
snapshots, asserting 6 capital invariants per scenario: (1) per-fill Δcapital ==
realized; (2) end Δcapital == Σ per-fill realized (cumulative across cycles, since
slot.realized resets on ENTER); (3) exchange flat + no orders (signed); (4)
persistence parity (trade_events/account_events/trade_exit_legs vs kernel); (5)
notional ≤ capital×max_leverage; (6) guard correctness.
Controlled testnet: flat-start, single scenarios, reliable kernel close-all
pre-flatten (no cross-scenario cascade), ~$20 sizes, no autonomous loop, BLUE
untouched. Gated +PINK_CAPITAL_HARNESS.
Live VST result: 6 passed + 1 xfail.
- round_trip, sequential (multi-cycle continuity), exit_then_reentry, and 3 guard
paths (suppressed nonfinite-capital / sub-floor price, degenerate-snapshot HOLD)
all GREEN — capital accounting verified for the single-leg/sequential PINK paths.
- multi_leg XFAIL (documented): multi-leg partial reduce-only exits leave a lot-step
rounding residual on the venue (kernel believes flat, exchange has a remainder) —
a real capital/sizing-path finding for the rework, reliably reproduced.
This is the pre-cutover gate; the multi-leg residual + capital/sizing-path rework
are the next items before re-attempting the live cutover.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Located the source of the cutover non-finite: target_size = capital × fraction ×
leverage / price. notional (capital×fraction×leverage) is self-limiting (no division,
bounded by capital), so a non-finite size can only come from a corrupt raw input —
non-finite capital, or a price below the industry floor that overflows the division.
Guards in the PINK algo runner (pink_direct), per design review:
- _MIN_SANE_PRICE = 1e-8 industry-smallest-price floor.
- ENTER: _unsafe_entry_reason() rejects the OPEN (logs provenance, no trade) when
capital/leverage/size are non-finite/non-positive or price < floor. A corrupt sizing
input is an untrustworthy signal — don't open (nothing to strand).
- EXIT: _exit_intent_from_slot() sizes the close from the kernel's authoritative
slot.size (cap to remaining; full remaining if policy size malformed) — a bad-math
exit can never strand or overshoot a position. Falls back to policy size only when the
kernel reports no/unknown remaining size.
size semantics confirmed: base-asset QUANTITY; notional = size×price; margin = notional/
leverage ≈ 0.2×capital (already margin-bounded by construction — no extra clamp needed).
Tests: test_pink_sizing_guards.py (4) green; full offline suite 25 green (no regression).
Complements the kernel INVALID_INTENT guard (9168cf0): source refuses to produce bad
sizes; kernel rejects any that slip through.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The aborted hard cutover crash-looped with "Rust kernel returned null string" from
process_intent on the first live trading step. Root cause (reproduced): a non-finite
(inf/NaN) numeric field reaching the kernel — Python json.dumps emits the Infinity/NaN
token, serde_json rejects it at parse, and the FFI returned null. Magnitude is fine;
only finiteness was the problem.
Defense in depth, kernel catches it:
- Rust FFI (lib.rs): dita_kernel_process_intent_json / _on_venue_event_json now return
a clean INVALID_INTENT KernelResult on parse failure (incl. Infinity/NaN tokens) AND
on serialize failure (a non-finite produced internally) — never a null string.
- Python bridge (rust_backend.py): ExecutionKernel.process_intent validates intent
finiteness/bounds (target_size, reference_price, limit_price, leverage, exit_leg_ratios;
size>=0) BEFORE the FFI and rejects INVALID_INTENT, naming the offending field+value.
- contracts.py: add KernelDiagnosticCode.INVALID_INTENT.
- pink_direct.py: on INVALID_INTENT, log full upstream provenance (snapshot.price,
capital, leverage, sizes) so the numerical SOURCE can be located on the next live run.
- on_venue_event bridge tolerates the fallback's null slot (uses the live slot).
Verified: kernel recompiled; offline 65 + 7 new guard tests green (no regression);
direct-FFI inf payload -> INVALID_INTENT (no null crash). NOTE: this turns the cutover
crash into a clean rejection — the upstream source of the non-finite (the live run's
inf) still needs locating, now aided by the provenance log.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
L3 live validation surfaced a live-only defect: a working LIMIT order could not
be cancelled (MARKET never exercised cancel — synchronous fills).
Two coupled fixes:
- Rust FSM (lib.rs): propagate the venue's order id onto the active order for
ALL order types and event kinds (ACK/partial/full fill) whenever the exchange
provides one — orders are created at submit with an empty venue_order_id, so a
later cancel had no real id to reference. Only fills empty ids, never overwrites.
Requires recompiling libdita_v2_kernel.so.
- Backend (bingx_direct.py): add cancel(order) — a properly-signed DELETE by
orderId (clientOrderId fallback) with TRUTH-BASED confirmation: BingX can return
transient errors ("order not exist", dup-within-1s from an internal retry) even
when the order was removed, so the cancel succeeds iff the order is no longer
open on the venue. The venue adapter prefers this backend cancel over its raw
signed_delete fallback (which failed signature with an empty id).
Validated:
- Offline: 63 + new cancel-truth unit tests green (no regression post-recompile).
- Live VST: resting SHORT LIMIT (+5%) rests as ENTRY_WORKING, confirmed as a LIMIT
open order, cancel -> CANCEL_ACK -> IDLE, exchange flat (test_pink_limit_live.py).
- Live VST MARKET run-through re-validated post-recompile: PASS, exact capital
reconciliation, two-phase rows visible (ORDER_REQUESTED + ENTRY_FILLED/EXIT).
LIMIT remains execution-infra only; PINK policy stays MARKET. BLUE untouched.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Drives the FULL PINK stack against BingX VST (not kernel-direct):
DecisionEngine -> IntentEngine -> PinkDirectRuntime -> kernel -> BingX venue
-> AccountProjection -> PinkClickHousePersistence (captured).
Forces a real SHORT enter (STRUCTURAL_DISLOCATION) + fixed-TP exit and asserts:
the policy layer ran, all dolphin_pink row families were written (incl. terminal
trade_events + trade_exit_legs), exact capital reconciliation, exchange flat.
Verified live: 1 passed, terminal rows captured (on_venue_event settles inline
within process_intent for MARKET orders). Gated by +PINK_RUNTHROUGH.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sprint 2 (accounting + observability parity, PINK scope):
- Verified pink_clickhouse.py writes the 8 BLUE-legacy row families at
matching schema and that capital authority in pink_direct.step() is
solely kernel.account (no balance-poll overwrite in the hot loop).
- Report: prod/clean_arch/dita_v2/SPRINT2_ACCOUNTING_PARITY.md.
Sprint 3 offline groundwork (no exchange contact):
- Add _write_trade_exit_leg to pink_clickhouse.py: one BLUE-schema-faithful
trade_exit_legs row per exit leg, with isolated (non-cumulative) per-leg
deltas tracked via _leg_state (reset on ENTER). Closes the docstring gap.
- New offline suite test_pink_multi_exit_groundwork.py (3 passed):
* Flaw 4 — two-leg exit closes once, realized accrues per leg, closed
slot rejects further EXIT (no double-close).
* Overshoot invariant — a final EXIT requesting more than the remaining
size CLAMPS (size to 0, no oversell), retiring the Sprint 0 cumulative-
ratio risk empirically.
* trade_exit_legs delta + full BLUE column-set assertions.
- Persistence regression after edits: 10 passed.
BLUE untouched: no changes to dolphin.* / DOLPHIN_*_BLUE / nautilus_event_trader.py.
Live VST multi-leg run remains deferred pending explicit authorization.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
First commit of the previously-untracked PINK-on-DITAv2 migration system
(execution moves to the Rust kernel; policy stays on legacy DITA, so Alpha
Engine algorithmic integrity is preserved). BLUE is untouched.
Sprint 0 (safety snapshot + flaw-fix verification, MARKET single-leg scope):
- Verified Rust FSM fixes (flaws 2,4,10,11,13) by source read of lib.rs.
- Hardened 5 vacuous/guarded assertions in test_flaws.py so each flaw test
genuinely exercises its fix. Most important: Flaw 5 now asserts capital
moves by EXACTLY realized PnL (was entering/exiting at the same price).
- Offline suites: 533 passed, 0 failed (35 flaws + 402 kernel/accounting/
bridge + 96 runtime/persistence/multi-exit/restart/seams).
- GATE PASS: MARKET-path-critical flaws 1,2,5 confirmed fixed + green.
- Added SPRINT0_FLAW_VERIFICATION.md report and _rust_kernel/.gitignore
(excludes Rust target/ build artifacts).
LIMIT/partial-fill remain explicitly out of scope (MARKET-only bring-up).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
