improve signed reads, crypto hardening, and scraper transport

This commit is contained in:
k
2026-06-14 21:43:43 +08:00
parent 54884f3e24
commit 78fb63be8e
27 changed files with 1326 additions and 202 deletions
+5 -5
View File
@@ -8,7 +8,8 @@ from sqlalchemy.ext.asyncio import AsyncSession
from app.database import get_db
from app.models import BotTrade
from app.schemas import BotPerformance
from app.services.signed_request import verify_signed_request_any
from app.services.signed_request import (
SignedReadCreds, signed_read_creds, verify_signed_request_any)
router = APIRouter()
logger = logging.getLogger(__name__)
@@ -21,8 +22,7 @@ ACTION_VIEW_USER = "view_user"
@router.get("/performance", response_model=BotPerformance)
async def get_performance(
wallet: str = Query(..., description="Wallet address (lower-cased internally)"),
ts: int = Query(..., description="Signed timestamp (ms)"),
sig: str = Query(..., description="EIP-191 signature"),
creds: SignedReadCreds = Depends(signed_read_creds),
include_paper: bool = Query(
False,
description="Include paper (simulated) trades. Default false — this "
@@ -35,8 +35,8 @@ async def get_performance(
verify_signed_request_any(
actions=[ACTION_VIEW_PERFORMANCE, ACTION_VIEW_USER],
wallet=wallet,
timestamp_ms=ts,
signature=sig,
timestamp_ms=creds.ts,
signature=creds.sig,
body=None,
allow_replay=True,
)
+12 -13
View File
@@ -35,7 +35,9 @@ from app.database import get_db
from app.models import BotTrade, Subscription, iso_utc
from app.services.crypto import decrypt_api_key
from app.services.price_store import price_store
from app.services.signed_request import verify_signed_request, verify_signed_request_any
from app.services.signed_request import (
SignedReadCreds, signed_read_creds,
verify_signed_request, verify_signed_request_any)
router = APIRouter()
logger = logging.getLogger(__name__)
@@ -144,8 +146,7 @@ def _enrich(trade: BotTrade) -> OpenPosition:
@router.get("/positions/open", response_model=OpenPositionsResponse)
async def get_open_positions(
wallet: str = Query(..., description="Wallet address (lower-cased internally)"),
ts: int = Query(..., description="Signed timestamp (ms)"),
sig: str = Query(..., description="EIP-191 signature"),
creds: SignedReadCreds = Depends(signed_read_creds),
db: AsyncSession = Depends(get_db),
):
"""Live open positions for the wallet, with mark-to-market PnL."""
@@ -153,8 +154,8 @@ async def get_open_positions(
verify_signed_request_any(
actions=[ACTION_VIEW_POSITIONS, ACTION_VIEW_USER],
wallet=wallet,
timestamp_ms=ts,
signature=sig,
timestamp_ms=creds.ts,
signature=creds.sig,
body=None,
allow_replay=True,
)
@@ -177,8 +178,7 @@ async def get_open_positions(
@router.get("/positions/today", response_model=TodayStatsResponse)
async def get_today_stats(
wallet: str = Query(...),
ts: int = Query(..., description="Signed timestamp (ms)"),
sig: str = Query(..., description="EIP-191 signature"),
creds: SignedReadCreds = Depends(signed_read_creds),
db: AsyncSession = Depends(get_db),
):
"""Today's realized P&L (since UTC midnight) + open count.
@@ -190,8 +190,8 @@ async def get_today_stats(
verify_signed_request_any(
actions=[ACTION_VIEW_POSITIONS, ACTION_VIEW_USER],
wallet=wallet,
timestamp_ms=ts,
signature=sig,
timestamp_ms=creds.ts,
signature=creds.sig,
body=None,
allow_replay=True,
)
@@ -453,8 +453,7 @@ class HLPositionsResponse(BaseModel):
@router.get("/positions/hl/{wallet}", response_model=HLPositionsResponse)
async def list_hl_positions_endpoint(
wallet: str,
ts: int = Query(..., description="Signed timestamp (ms)"),
sig: str = Query(..., description="EIP-191 signature"),
creds: SignedReadCreds = Depends(signed_read_creds),
):
"""Read the wallet's CURRENT Hyperliquid open positions, annotated with
'already adopted' flag. Used by the Adopt picker on the frontend.
@@ -469,8 +468,8 @@ async def list_hl_positions_endpoint(
verify_signed_request_any(
actions=[ACTION_VIEW_POSITIONS, ACTION_VIEW_USER],
wallet=wallet,
timestamp_ms=ts,
signature=sig,
timestamp_ms=creds.ts,
signature=creds.sig,
body=None,
allow_replay=True,
)
+3 -4
View File
@@ -1,7 +1,6 @@
import logging
from typing import List
import httpx
from fastapi import APIRouter, HTTPException, Query, Request
from fastapi.responses import Response
@@ -33,9 +32,9 @@ async def fetch_binance_candles(asset: str, tf: str, limit: int) -> List[Candle]
symbol = SYMBOL_MAP[asset]
interval = BINANCE_INTERVAL[tf]
url = f"{settings.binance_rest_url}/api/v3/klines?symbol={symbol}&interval={interval}&limit={limit}"
async with httpx.AsyncClient(timeout=15) as client:
resp = await client.get(url)
resp.raise_for_status()
from app.services.http_client import get_client
resp = await get_client().get(url, timeout=15)
resp.raise_for_status()
rows = resp.json()
return [
Candle(
+6 -6
View File
@@ -25,7 +25,8 @@ from sqlalchemy.ext.asyncio import AsyncSession
from app.config import settings
from app.database import get_db
from app.models import TelegramBinding, Subscription
from app.services.signed_request import verify_signed_request
from app.services.signed_request import (
SignedReadCreds, optional_signed_read_creds, verify_signed_request)
from app.services.telegram import send_test_message
from app.services.telegram_bot import issue_binding_code, unbind_wallet
@@ -144,8 +145,7 @@ async def _build_status(
@router.get("/{wallet}/status", response_model=StatusResponse)
async def status(
wallet: str,
timestamp: Optional[int] = None,
signature: Optional[str] = None,
creds: Optional[SignedReadCreds] = Depends(optional_signed_read_creds),
db: AsyncSession = Depends(get_db),
) -> StatusResponse:
"""Wallet Telegram status.
@@ -162,14 +162,14 @@ async def status(
# Accepting view_user avoids requiring a separate wallet signature just to
# see Telegram status — the frontend reuses its cached view_user envelope.
authenticated = False
if timestamp is not None and signature:
if creds is not None:
for _action in ("view_telegram_status", "view_user"):
try:
verify_signed_request(
action=_action,
wallet=wallet,
timestamp_ms=timestamp,
signature=signature,
timestamp_ms=creds.ts,
signature=creds.sig,
body=None,
allow_replay=True,
)
+5 -5
View File
@@ -9,7 +9,8 @@ from sqlalchemy.ext.asyncio import AsyncSession
from app.database import get_db
from app.models import BotTrade, iso_utc
from app.schemas import BotTrade as BotTradeSchema
from app.services.signed_request import verify_signed_request_any
from app.services.signed_request import (
SignedReadCreds, signed_read_creds, verify_signed_request_any)
router = APIRouter()
logger = logging.getLogger(__name__)
@@ -55,8 +56,7 @@ def _trade_to_schema(trade: BotTrade) -> BotTradeSchema:
@router.get("/trades", response_model=List[BotTradeSchema])
async def get_trades(
wallet: str = Query(..., description="Wallet address (lower-cased internally)"),
ts: int = Query(..., description="Signed timestamp (ms)"),
sig: str = Query(..., description="EIP-191 signature"),
creds: SignedReadCreds = Depends(signed_read_creds),
limit: int = Query(default=20, ge=1, le=500), # raised from 100: Analytics needs 500 for full history
page: int = Query(default=1, ge=1),
db: AsyncSession = Depends(get_db),
@@ -65,8 +65,8 @@ async def get_trades(
verify_signed_request_any(
actions=[ACTION_VIEW_TRADES, ACTION_VIEW_USER],
wallet=wallet,
timestamp_ms=ts,
signature=sig,
timestamp_ms=creds.ts,
signature=creds.sig,
body=None,
allow_replay=True,
)
+5 -5
View File
@@ -16,7 +16,8 @@ from app.schemas import (
)
from app.services.crypto import encrypt_api_key
from app.services.hyperliquid import HyperliquidTrader
from app.services.signed_request import verify_signed_request
from app.services.signed_request import (
SignedReadCreds, signed_read_creds, verify_signed_request)
router = APIRouter()
logger = logging.getLogger(__name__)
@@ -132,8 +133,7 @@ async def get_user_public(wallet: str, db: AsyncSession = Depends(get_db)):
@router.get("/user/{wallet}", response_model=UserResponse)
async def get_user(
wallet: str,
ts: int = Query(..., description="Signed timestamp (ms)"),
sig: str = Query(..., description="EIP-191 signature"),
creds: SignedReadCreds = Depends(signed_read_creds),
db: AsyncSession = Depends(get_db),
):
wallet = wallet.lower().strip()
@@ -143,8 +143,8 @@ async def get_user(
verify_signed_request(
action=ACTION_VIEW_USER,
wallet=wallet,
timestamp_ms=ts,
signature=sig,
timestamp_ms=creds.ts,
signature=creds.sig,
body=None,
allow_replay=True, # idempotent GET — allow sessionStorage caching for UX
)
+8 -11
View File
@@ -139,17 +139,12 @@ async def lifespan(app: FastAPI):
# 3. Start Truth Social poller via APScheduler
_scheduler = AsyncIOScheduler()
# Signal monitor polls every 5 minutes
from app.services.funding_signal import poll_funding_signal
_scheduler.add_job(
poll_funding_signal,
"interval",
minutes=5,
id="funding_signal_poll",
max_instances=1,
coalesce=True,
)
logger.info("Breakout signal monitor scheduled every 5 minutes.")
# Breakout signal monitor (poll_funding_signal, ETH/LINK 5m) UNSCHEDULED
# 2026-06-12: the feature has been disabled for months (_enabled=False,
# operator-only toggle) and the frontend panel that displayed it was
# removed — the 5-min Binance kline poll was pure waste. The /signal/*
# API routes still work; to revive, re-add the add_job() here AND remount
# SignalMonitor in the frontend's MacroVibesPageClient.
_scheduler.add_job(
poll_truth_social,
@@ -347,6 +342,8 @@ async def lifespan(app: FastAPI):
await _telegram_task
except asyncio.CancelledError:
pass
from app.services.http_client import aclose as http_client_aclose
await http_client_aclose()
await engine.dispose()
logger.info("Shutdown complete.")
+44 -37
View File
@@ -24,10 +24,12 @@ from datetime import datetime, timezone
from email.utils import parsedate_to_datetime
from typing import Optional
import httpx
from app.scrapers.truth_social import _process_entry, _post_to_ws_payload
from app.ws.manager import manager
from app.scrapers.truth_social import (
NOT_MODIFIED,
_known_external_ids,
_process_entry,
dispatch_post,
)
logger = logging.getLogger(__name__)
@@ -41,17 +43,32 @@ NS = {
last_successful_poll_at: Optional[datetime] = None
last_poll_error: Optional[str] = None
# Conditional-GET validators (same scheme as truth_social.py — most polls
# come back 304 and skip the download + XML parse entirely).
_etag: Optional[str] = None
_last_modified: Optional[str] = None
async def _fetch_feed() -> Optional[str]:
async def _fetch_feed():
"""Fetch the RSS body. Returns str, NOT_MODIFIED (304), or None on error."""
global _etag, _last_modified
headers = {
"User-Agent": "Mozilla/5.0 (compatible; TrumpSignal/1.0)",
"Accept": "application/rss+xml, application/xml",
}
if _etag:
headers["If-None-Match"] = _etag
if _last_modified:
headers["If-Modified-Since"] = _last_modified
try:
async with httpx.AsyncClient(timeout=20, follow_redirects=True) as client:
resp = await client.get(FEED_URL, headers=headers)
resp.raise_for_status()
return resp.text
from app.services.http_client import get_client
resp = await get_client().get(FEED_URL, headers=headers, timeout=20)
if resp.status_code == 304:
return NOT_MODIFIED
resp.raise_for_status()
_etag = resp.headers.get("etag")
_last_modified = resp.headers.get("last-modified")
return resp.text
except Exception as exc:
# Include type name — httpx often raises bare ConnectError/RemoteProtocolError
# with empty .args, which formats as just "Failed to fetch ..." with no body.
@@ -105,6 +122,11 @@ async def poll_trumpstruth(db_session_factory) -> None:
global last_successful_poll_at, last_poll_error
raw = await _fetch_feed()
if raw is NOT_MODIFIED:
# Feed unchanged — successful cycle, nothing to do.
last_successful_poll_at = datetime.now(timezone.utc)
last_poll_error = None
return
if raw is None:
last_poll_error = "fetch_feed returned None"
return
@@ -128,41 +150,26 @@ async def poll_trumpstruth(db_session_factory) -> None:
async with db_session_factory() as db:
try:
new_posts = []
known_ids = await _known_external_ids(entries, db)
# Newest-first: commit + dispatch each new post immediately so an
# actionable post never queues behind older entries' AI analysis.
# dispatch_post is the shared fan-out (WS + Telegram + X + trade)
# from truth_social.py — delivery must not depend on which poller
# wins the race.
for entry in entries:
try:
post = await _process_entry(entry, db)
post = await _process_entry(entry, db, known_ids)
if post:
new_posts.append(post)
await db.commit()
logger.info("[trumpstruth] beat CNN — new post id=%d",
post.id)
await dispatch_post(post, db)
except Exception as exc:
logger.error("trumpstruth: error on entry %s: %s",
entry.get("id"), exc)
if new_posts:
await db.commit()
for post in new_posts:
await manager.broadcast(_post_to_ws_payload(post))
logger.info("[trumpstruth] beat CNN — new post id=%d: %s",
post.id, post.text[:60])
# Telegram fan-out — matches truth_social.py. Without this,
# whichever poller wins the race determines whether users
# get pushed — flaky 50% delivery.
try:
from app.services.telegram import notify_signal
notify_signal(post)
except Exception as exc:
logger.warning("Telegram notify failed for post %d: %s", post.id, exc)
try:
from app.services.x_poster import notify_x_signal
notify_x_signal(post)
except Exception as exc:
logger.warning("X notify failed for post %d: %s", post.id, exc)
try:
from app.services.bot_engine import process_post
await process_post(post, db)
except Exception as exc:
logger.error("process_post failed for post %d: %s",
post.id, exc)
# Capture any remaining writes (entry-filter stub rows).
await db.commit()
last_successful_poll_at = datetime.now(timezone.utc)
last_poll_error = None
except Exception as exc:
+92 -37
View File
@@ -11,7 +11,6 @@ import re
from datetime import datetime, timezone
from typing import Optional
import httpx
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession
@@ -29,6 +28,16 @@ ARCHIVE_URL = "https://ix.cnn.io/data/truth-social/truth_archive.json"
last_successful_poll_at: Optional[datetime] = None
last_poll_error: Optional[str] = None
# Conditional-GET validators from the last 200 response. The archive is 30k+
# posts (~MBs of JSON); CNN only regenerates it every ~5 min, so most polls
# can be answered with a 304 and skip download + parse entirely.
_etag: Optional[str] = None
_last_modified: Optional[str] = None
# Sentinel returned by _fetch_archive on HTTP 304 — distinct from None
# (fetch failure) so the poller can count it as a successful, no-work cycle.
NOT_MODIFIED = object()
def _strip_html(text: str) -> str:
text = re.sub(r"<[^>]+>", " ", text)
@@ -52,16 +61,29 @@ def _parse_dt(iso: str) -> datetime:
return datetime.now(timezone.utc).replace(tzinfo=None)
async def _fetch_archive() -> Optional[list]:
async def _fetch_archive(conditional: bool = True):
"""Fetch the archive JSON. Returns a list, NOT_MODIFIED (304), or None
on error. `conditional=False` (backfill) always downloads the full body
so a poller-set ETag can't starve the startup backfill."""
global _etag, _last_modified
headers = {
"User-Agent": "Mozilla/5.0 (compatible; TrumpSignal/1.0)",
"Accept": "application/json",
}
if conditional:
if _etag:
headers["If-None-Match"] = _etag
if _last_modified:
headers["If-Modified-Since"] = _last_modified
try:
async with httpx.AsyncClient(timeout=30, follow_redirects=True) as client:
resp = await client.get(ARCHIVE_URL, headers=headers)
resp.raise_for_status()
return resp.json()
from app.services.http_client import get_client
resp = await get_client().get(ARCHIVE_URL, headers=headers, timeout=30)
if conditional and resp.status_code == 304:
return NOT_MODIFIED
resp.raise_for_status()
_etag = resp.headers.get("etag")
_last_modified = resp.headers.get("last-modified")
return resp.json()
except Exception as exc:
# Include type name — httpx often raises bare ConnectError/TimeoutException
# with empty .args, which used to log as just "Failed to fetch CNN archive:"
@@ -71,9 +93,27 @@ async def _fetch_archive() -> Optional[list]:
return None
async def _process_entry(entry: dict, db: AsyncSession) -> Optional[Post]:
async def _known_external_ids(entries: list, db: AsyncSession) -> set:
"""One batch query for the dedup pass. On a typical poll all ~50 entries
already exist, so this replaces 50 per-entry SELECTs with 1."""
ids = [hashlib.md5(str(e["id"]).encode()).hexdigest() for e in entries]
if not ids:
return set()
rows = await db.execute(
select(Post.external_id).where(Post.external_id.in_(ids)))
return {r[0] for r in rows}
async def _process_entry(entry: dict, db: AsyncSession,
known_ids: Optional[set] = None) -> Optional[Post]:
external_id = hashlib.md5(str(entry["id"]).encode()).hexdigest()
# Fast path: pre-fetched batch dedup set. New (unseen) ids still get the
# confirming SELECT below — protects against a concurrent insert by the
# other poller between the batch query and this entry.
if known_ids is not None and external_id in known_ids:
return None
result = await db.execute(select(Post).where(Post.external_id == external_id))
if result.scalar_one_or_none():
return None
@@ -198,10 +238,40 @@ def _post_to_ws_payload(post: Post) -> dict:
}
async def dispatch_post(post: Post, db: AsyncSession) -> None:
"""Broadcast + fan-out + trade for one freshly committed post. Shared by
both pollers so delivery doesn't depend on which source wins the race."""
await manager.broadcast(_post_to_ws_payload(post))
logger.info("Saved new post id=%d: %s", post.id, post.text[:60])
# Telegram fan-out (fire-and-forget). _dispatch filters internally:
# buy/short → per-subscriber + public channel; relevant-but-hold →
# public channel only; noise → dropped.
try:
from app.services.telegram import notify_signal
notify_signal(post)
except Exception as exc:
logger.warning("Telegram notify failed for post %d: %s", post.id, exc)
try:
from app.services.x_poster import notify_x_signal
notify_x_signal(post)
except Exception as exc:
logger.warning("X notify failed for post %d: %s", post.id, exc)
try:
from app.services.bot_engine import process_post
await process_post(post, db)
except Exception as exc:
logger.error("process_post failed for post %d: %s", post.id, exc)
async def poll_truth_social(db_session_factory) -> None:
global last_successful_poll_at, last_poll_error
logger.info("Polling CNN Truth Social archive...")
entries = await _fetch_archive()
if entries is NOT_MODIFIED:
# Archive unchanged since last poll — successful cycle, nothing to do.
last_successful_poll_at = datetime.now(timezone.utc)
last_poll_error = None
return
if not entries:
last_poll_error = "fetch_archive returned empty"
return
@@ -212,39 +282,24 @@ async def poll_truth_social(db_session_factory) -> None:
async with db_session_factory() as db:
try:
new_posts = []
known_ids = await _known_external_ids(recent, db)
found_new = False
# Entries are newest-first. Commit + dispatch each new post
# IMMEDIATELY rather than after the whole batch — an actionable
# post must not wait behind the AI analysis of older entries.
for entry in recent:
try:
post = await _process_entry(entry, db)
post = await _process_entry(entry, db, known_ids)
if post:
new_posts.append(post)
found_new = True
await db.commit()
await dispatch_post(post, db)
except Exception as exc:
logger.error("Error processing entry %s: %s", entry.get("id"), exc)
if new_posts:
await db.commit()
for post in new_posts:
await manager.broadcast(_post_to_ws_payload(post))
logger.info("Saved new post id=%d: %s", post.id, post.text[:60])
# Telegram fan-out (fire-and-forget). _dispatch filters
# internally: buy/short → per-subscriber + public channel;
# relevant-but-hold → public channel only; noise → dropped.
try:
from app.services.telegram import notify_signal
notify_signal(post)
except Exception as exc:
logger.warning("Telegram notify failed for post %d: %s", post.id, exc)
try:
from app.services.x_poster import notify_x_signal
notify_x_signal(post)
except Exception as exc:
logger.warning("X notify failed for post %d: %s", post.id, exc)
try:
from app.services.bot_engine import process_post
await process_post(post, db)
except Exception as exc:
logger.error("process_post failed for post %d: %s", post.id, exc)
else:
# Capture any remaining writes (entry-filter stub rows).
await db.commit()
if not found_new:
logger.info("No new posts found.")
# Mark a successful poll cycle (separate from "found new posts").
last_successful_poll_at = datetime.now(timezone.utc)
@@ -258,7 +313,7 @@ async def poll_truth_social(db_session_factory) -> None:
async def backfill_history(db_session_factory, limit: int = 500) -> None:
"""One-time backfill of historical posts (no Claude analysis, no price impact)."""
logger.info("Starting historical backfill (limit=%d)...", limit)
entries = await _fetch_archive()
entries = await _fetch_archive(conditional=False)
if not entries:
logger.error("Backfill failed: could not fetch archive")
return
@@ -268,10 +323,10 @@ async def backfill_history(db_session_factory, limit: int = 500) -> None:
async with db_session_factory() as db:
try:
known_ids = await _known_external_ids(to_process, db)
for entry in to_process:
external_id = hashlib.md5(str(entry["id"]).encode()).hexdigest()
result = await db.execute(select(Post).where(Post.external_id == external_id))
if result.scalar_one_or_none():
if external_id in known_ids:
continue
text = _strip_html(entry.get("content") or "").strip()
+10
View File
@@ -244,6 +244,16 @@ async def _adopt_locked(wallet_l: str, asset_u: str, mode_n: str) -> AdoptionRes
"no Hyperliquid position to manage. Turn off paper mode in "
"Settings to use /adopt.")
# Macro Vibes (System-2) must be ENABLED to hand a position to the bot.
# /adopt is the entry point to sys2 management, so honouring the
# macro_enabled switch here is what makes that toggle real — otherwise
# a user who turned Macro Vibes OFF could still /adopt and the bot would
# manage it, contradicting their setting.
if not getattr(sub, "macro_enabled", False):
raise AdoptionError("macro_disabled",
"Macro Vibes is turned off for this wallet. Enable Macro Vibes "
"in Settings before using /adopt.")
# System-2 circuit breaker. Same gate the auto-open path used to run:
# if recent losses tripped the sys2 breaker, block new adoptions for
# the lockout window. Otherwise the breaker would be useless under
+13 -14
View File
@@ -4,7 +4,6 @@ import logging
from datetime import datetime, timezone
from typing import Optional
import httpx
import websockets
from app.config import settings
@@ -127,19 +126,19 @@ async def fetch_historical(asset: str, symbol: str, interval: str = "1m", limit:
"""Fetch historical klines from Binance REST API to pre-fill price_store."""
url = f"{settings.binance_rest_url}/api/v3/klines?symbol={symbol.upper()}&interval={interval}&limit={limit}"
try:
async with httpx.AsyncClient(timeout=15) as client:
resp = await client.get(url)
resp.raise_for_status()
for row in resp.json():
candle = {
"time": row[0], # open time ms
"open": float(row[1]),
"high": float(row[2]),
"low": float(row[3]),
"close": float(row[4]),
"volume": float(row[5]),
}
price_store.update(asset, candle)
from app.services.http_client import get_client
resp = await get_client().get(url, timeout=15)
resp.raise_for_status()
for row in resp.json():
candle = {
"time": row[0], # open time ms
"open": float(row[1]),
"high": float(row[2]),
"low": float(row[3]),
"close": float(row[4]),
"volume": float(row[5]),
}
price_store.update(asset, candle)
logger.info("Loaded %d historical %s candles for %s", limit, interval, asset)
except Exception as exc:
logger.error("Failed to fetch historical data for %s: %s", asset, exc)
+107 -28
View File
@@ -1,62 +1,141 @@
"""
Envelope encryption for HL API private keys.
Plaintext keys never touch disk: stored values are Fernet-encrypted with a KEK
loaded from env (ENCRYPTION_KEY). Rotate KEK → re-encrypt all keys offline.
Plaintext keys never touch disk: stored values are Fernet-encrypted with a key
derived from the env KEK (ENCRYPTION_KEY).
Blob formats:
enc:v2:<salt_b64url>:<fernet_token> — current. Per-blob random 16-byte
salt; Fernet key = PBKDF2-HMAC-SHA256(KEK, salt, 600k iters). Derived
keys are cached per salt so steady-state decryption pays the KDF once.
enc:v1:<fernet_token> — legacy. Fernet key = single unsalted
SHA-256(KEK). Read-only: decrypt still works, encrypt always writes v2.
Upgrade rows with scripts/reencrypt_keys.py (H4 fix).
<plaintext> — pre-encryption rows. Refused in prod.
Rotate KEK → re-encrypt all keys offline (scripts/reencrypt_keys.py).
"""
import base64
import hashlib
import logging
from typing import Optional
import os
from typing import Dict, Optional
from cryptography.fernet import Fernet, InvalidToken
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from app.config import settings
logger = logging.getLogger(__name__)
# OWASP-recommended floor for PBKDF2-HMAC-SHA256. The KEK is already a
# high-entropy secret, so the KDF mainly buys defence-in-depth against a
# weak / partially-leaked / reused KEK. ~0.2-0.4s, paid once per unique salt.
_PBKDF2_ITERATIONS = 600_000
_SALT_BYTES = 16
def _derive_fernet_key(raw: str) -> bytes:
"""Accept any reasonably-long secret and derive a valid 32-byte Fernet key."""
ENC_PREFIX_V1 = "enc:v1:"
ENC_PREFIX_V2 = "enc:v2:"
# Kept for older imports / scripts that reference the original name.
ENC_PREFIX = ENC_PREFIX_V1
def _check_kek(raw: str) -> str:
if not raw or len(raw) < 32:
raise RuntimeError(
"ENCRYPTION_KEY must be set to at least 32 random chars (e.g. `openssl rand -hex 32`)"
)
digest = hashlib.sha256(raw.encode("utf-8")).digest()
return raw
def _derive_v1_key(raw: str) -> bytes:
"""Legacy: single unsalted SHA-256 of the KEK."""
digest = hashlib.sha256(_check_kek(raw).encode("utf-8")).digest()
return base64.urlsafe_b64encode(digest)
_fernet: Optional[Fernet] = None
def _derive_v2_key(raw: str, salt: bytes) -> bytes:
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=_PBKDF2_ITERATIONS,
)
return base64.urlsafe_b64encode(kdf.derive(_check_kek(raw).encode("utf-8")))
def _cipher() -> Fernet:
global _fernet
if _fernet is None:
_fernet = Fernet(_derive_fernet_key(settings.encryption_key))
return _fernet
_fernet_v1: Optional[Fernet] = None
# salt → Fernet. One entry per unique salt actually seen: encryption reuses a
# single process-lifetime salt, decryption adds one per distinct stored blob.
_fernet_v2_cache: Dict[bytes, Fernet] = {}
_V2_CACHE_MAX = 4096
# Salt for NEW encryptions in this process — generated once so the encrypt
# path pays the 600k-iteration KDF a single time per process, while blobs
# written by other processes/runs still carry their own salt.
_encrypt_salt: Optional[bytes] = None
# Prefix lets us distinguish encrypted blobs from any legacy plaintext rows during migration
ENC_PREFIX = "enc:v1:"
def _cipher_v1() -> Fernet:
global _fernet_v1
if _fernet_v1 is None:
_fernet_v1 = Fernet(_derive_v1_key(settings.encryption_key))
return _fernet_v1
def _cipher_v2(salt: bytes) -> Fernet:
cached = _fernet_v2_cache.get(salt)
if cached is not None:
return cached
f = Fernet(_derive_v2_key(settings.encryption_key, salt))
if len(_fernet_v2_cache) >= _V2_CACHE_MAX:
_fernet_v2_cache.clear()
_fernet_v2_cache[salt] = f
return f
def encrypt_api_key(plaintext: str) -> str:
token = _cipher().encrypt(plaintext.encode("utf-8")).decode("utf-8")
return ENC_PREFIX + token
global _encrypt_salt
if _encrypt_salt is None:
_encrypt_salt = os.urandom(_SALT_BYTES)
salt_b64 = base64.urlsafe_b64encode(_encrypt_salt).decode("ascii")
token = _cipher_v2(_encrypt_salt).encrypt(plaintext.encode("utf-8")).decode("utf-8")
return f"{ENC_PREFIX_V2}{salt_b64}:{token}"
def decrypt_api_key(stored: str) -> str:
if not stored:
raise ValueError("Empty api key")
if not stored.startswith(ENC_PREFIX):
# Legacy plaintext row (from before encryption was added). Refuse to use in prod.
if settings.environment == "production":
raise RuntimeError(
"Found legacy-plaintext HL key; run migration script before production"
)
logger.warning("Reading LEGACY plaintext HL key — migrate ASAP")
return stored
try:
return _cipher().decrypt(stored[len(ENC_PREFIX):].encode("utf-8")).decode("utf-8")
except InvalidToken as exc:
raise RuntimeError("HL key decryption failed — wrong ENCRYPTION_KEY?") from exc
if stored.startswith(ENC_PREFIX_V2):
rest = stored[len(ENC_PREFIX_V2):]
try:
salt_b64, token = rest.split(":", 1)
salt = base64.urlsafe_b64decode(salt_b64.encode("ascii"))
except Exception as exc:
raise RuntimeError("Malformed enc:v2 blob") from exc
try:
return _cipher_v2(salt).decrypt(token.encode("utf-8")).decode("utf-8")
except InvalidToken as exc:
raise RuntimeError("HL key decryption failed — wrong ENCRYPTION_KEY?") from exc
if stored.startswith(ENC_PREFIX_V1):
try:
return _cipher_v1().decrypt(
stored[len(ENC_PREFIX_V1):].encode("utf-8")).decode("utf-8")
except InvalidToken as exc:
raise RuntimeError("HL key decryption failed — wrong ENCRYPTION_KEY?") from exc
# Legacy plaintext row (from before encryption was added). Refuse to use in prod.
if settings.environment == "production":
raise RuntimeError(
"Found legacy-plaintext HL key; run migration script before production"
)
logger.warning("Reading LEGACY plaintext HL key — migrate ASAP")
return stored
def is_current_format(stored: Optional[str]) -> bool:
"""True if the blob is already enc:v2 (used by scripts/reencrypt_keys.py)."""
return bool(stored) and stored.startswith(ENC_PREFIX_V2)
+4 -5
View File
@@ -31,7 +31,6 @@ import time
from datetime import datetime, timezone
from typing import Optional
import httpx
from app.services.price_store import price_store
from app.ws.manager import manager
@@ -96,10 +95,10 @@ async def _tick() -> None:
"""Single price fetch + dispatch cycle for all HL_PRICE_ASSETS."""
now_ms = int(time.time() * 1000)
async with httpx.AsyncClient(timeout=4.0) as c:
r = await c.post(HL_API_URL, json={"type": "allMids"})
r.raise_for_status()
mids: dict = r.json() # {"BTC": "74541.0", "HYPE": "13.5", …}
from app.services.http_client import get_client
r = await get_client().post(HL_API_URL, json={"type": "allMids"}, timeout=4.0)
r.raise_for_status()
mids: dict = r.json() # {"BTC": "74541.0", "HYPE": "13.5", …}
# Feed is alive the moment we successfully fetch mids, even if a specific
# asset is momentarily absent from the response.
+37
View File
@@ -0,0 +1,37 @@
"""Shared pooled httpx.AsyncClient.
Hot paths (scrapers, Telegram send/poll, price feeds, X poster) used to build
a fresh AsyncClient per request, paying a TCP+TLS handshake every time. This
module owns one process-wide client with keep-alive pooling; callers override
the timeout per request (`client.get(url, timeout=10)`).
Lifecycle: lazily created on first use; main.py's lifespan closes it on
shutdown. Low-frequency daily jobs (KOL/macro fetchers) may keep their own
ad-hoc clients — pooling only matters on the per-second paths.
"""
import logging
from typing import Optional
import httpx
logger = logging.getLogger(__name__)
_client: Optional[httpx.AsyncClient] = None
def get_client() -> httpx.AsyncClient:
global _client
if _client is None or _client.is_closed:
_client = httpx.AsyncClient(
timeout=httpx.Timeout(20.0),
follow_redirects=True,
limits=httpx.Limits(max_connections=50, max_keepalive_connections=20),
)
return _client
async def aclose() -> None:
global _client
if _client is not None and not _client.is_closed:
await _client.aclose()
_client = None
+29
View File
@@ -315,6 +315,8 @@ async def extract_kol_signal(
if post_type not in valid_post_types:
post_type = "other"
tier = _derive_tier(cleaned, tvt_score)
return {
"summary": (data.get("summary") or "").strip() or None,
"post_type": post_type,
@@ -322,6 +324,33 @@ async def extract_kol_signal(
"talks_vs_trades_score": tvt_score,
# Keep old boolean for any callers that still check it
"talks_vs_trades_flag": tvt_score >= 0.5,
# tier mirrors x_analysis' vocabulary (trade_signal / directional /
# noise) so blog/substack/podcast posts get the same SIGNAL/VIEW UI
# badges + the "Signals only" filter that Twitter posts already have.
"tier": tier,
"model": model,
"version": ANALYSIS_VERSION,
}
def _derive_tier(tickers: list[dict], tvt_score: float) -> str:
"""Map kol_analysis output → the trade_signal/directional/noise tiers that
x_analysis emits directly. Non-Twitter analyzers don't ask the model for a
tier, so we derive one from the per-ticker conviction + the talks-vs-trades
(divergence) score. Without this, blog/substack/podcast rows have tier=NULL
and the "Signals only" filter + SIGNAL/VIEW badges never apply to them.
* directional ticker = an explicit non-"mention" action (buy/sell/
reduce/bullish/bearish).
* trade_signal = high conviction (>= 0.6) on a directional ticker, or a
strong talks-vs-trades divergence (>= 0.6) — the platform's top signal.
* directional = a directional view exists but below the trade_signal bar.
* noise = no directional ticker and no notable divergence.
"""
directional = [t for t in tickers if (t.get("action") or "mention") != "mention"]
max_conv = max((float(t.get("conviction") or 0) for t in directional), default=0.0)
if max_conv >= 0.6 or tvt_score >= 0.6:
return "trade_signal"
if directional or tvt_score >= 0.5:
return "directional"
return "noise"
+3
View File
@@ -468,6 +468,9 @@ async def _ingest_kol(
# Extended analysis fields (migration 027)
row.post_type = result.get("post_type")
row.talks_vs_trades_flag = bool(result.get("talks_vs_trades_flag", False))
# tier (trade_signal/directional/noise) so the "Signals only"
# filter + SIGNAL/VIEW badges work for non-Twitter KOLs too.
row.tier = result.get("tier")
stats["analyzed"] += 1
except Exception as e:
logger.warning("[kol_substack] analysis failed for %s post %s: %s",
+55
View File
@@ -144,3 +144,58 @@ def verify_signed_request_any(
last_exc = exc
if last_exc is not None:
raise last_exc
# ── Signed-read credential extraction (C3) ────────────────────────────────
# Read endpoints historically took the signature as `?ts=&sig=` query params,
# which leaks signatures into access logs / proxies / browser history. The
# canonical transport is now the X-Sig-Ts / X-Sig-Sig HEADERS; the query
# params are kept as a deprecated fallback so older clients keep working.
from dataclasses import dataclass
from fastapi import Header, Query
@dataclass
class SignedReadCreds:
ts: int
sig: str
def signed_read_creds(
ts: Optional[int] = Query(default=None, deprecated=True,
description="DEPRECATED — use X-Sig-Ts header"),
sig: Optional[str] = Query(default=None, deprecated=True,
description="DEPRECATED — use X-Sig-Sig header"),
x_sig_ts: Optional[int] = Header(default=None, alias="X-Sig-Ts",
description="Signed timestamp (ms)"),
x_sig_sig: Optional[str] = Header(default=None, alias="X-Sig-Sig",
description="EIP-191 signature"),
) -> SignedReadCreds:
"""FastAPI dependency: required signed-read credentials.
Headers win over query params when both are present."""
t = x_sig_ts if x_sig_ts is not None else ts
s = x_sig_sig if x_sig_sig else sig
if t is None or not s:
raise HTTPException(
422, "Missing signed-read credentials (X-Sig-Ts / X-Sig-Sig headers)")
return SignedReadCreds(ts=t, sig=s)
def optional_signed_read_creds(
# Legacy query names used by /telegram/{wallet}/status.
timestamp: Optional[int] = Query(default=None, deprecated=True,
description="DEPRECATED — use X-Sig-Ts header"),
signature: Optional[str] = Query(default=None, deprecated=True,
description="DEPRECATED — use X-Sig-Sig header"),
x_sig_ts: Optional[int] = Header(default=None, alias="X-Sig-Ts"),
x_sig_sig: Optional[str] = Header(default=None, alias="X-Sig-Sig"),
) -> Optional[SignedReadCreds]:
"""Like signed_read_creds but returns None when absent — for endpoints
that serve a redacted response to unauthenticated callers."""
t = x_sig_ts if x_sig_ts is not None else timestamp
s = x_sig_sig if x_sig_sig else signature
if t is None or not s:
return None
return SignedReadCreds(ts=t, sig=s)
+6 -7
View File
@@ -27,7 +27,6 @@ import logging
from datetime import datetime, timezone
from typing import Optional
import httpx
from sqlalchemy import select, update
from app.config import settings
@@ -274,8 +273,8 @@ async def send_message(chat_id: int | str, text: str, *,
if reply_markup is not None:
payload["reply_markup"] = reply_markup
try:
async with httpx.AsyncClient(timeout=10) as client:
r = await client.post(url, json=payload)
from app.services.http_client import get_client
r = await get_client().post(url, json=payload, timeout=10)
if r.status_code != 200:
logger.warning("Telegram sendMessage failed chat=%s status=%d body=%s",
chat_id, r.status_code, r.text[:200])
@@ -302,8 +301,8 @@ async def edit_message(chat_id: int, message_id: int, text: str, *,
if reply_markup is not None:
payload["reply_markup"] = reply_markup
try:
async with httpx.AsyncClient(timeout=10) as client:
r = await client.post(url, json=payload)
from app.services.http_client import get_client
r = await get_client().post(url, json=payload, timeout=10)
if r.status_code != 200:
# Telegram returns 400 on "message is not modified" — harmless.
if "message is not modified" not in r.text:
@@ -331,8 +330,8 @@ async def answer_callback(callback_query_id: str, text: str = "",
payload["text"] = text
payload["show_alert"] = show_alert
try:
async with httpx.AsyncClient(timeout=10) as client:
await client.post(url, json=payload)
from app.services.http_client import get_client
await get_client().post(url, json=payload, timeout=10)
return True
except Exception as exc:
logger.debug("Telegram answerCallback exception: %s", exc)
+5 -6
View File
@@ -1007,15 +1007,14 @@ async def run_bot_loop() -> None:
# them without processing, then start the real loop fresh.
try:
drain_url = TG_API.format(token=token, method="getUpdates")
async with httpx.AsyncClient(timeout=10) as client:
r = await client.get(drain_url, params={"timeout": 0, "limit": 100})
from app.services.http_client import get_client
r = await get_client().get(drain_url, params={"timeout": 0, "limit": 100}, timeout=10)
if r.status_code == 200:
pending = r.json().get("result", [])
if pending:
drain_offset = pending[-1]["update_id"] + 1
# ACK by sending offset back — Telegram won't re-deliver these.
async with httpx.AsyncClient(timeout=10) as client:
await client.get(drain_url, params={"timeout": 0, "offset": drain_offset})
await get_client().get(drain_url, params={"timeout": 0, "offset": drain_offset}, timeout=10)
logger.info(
"Startup drain: skipped %d stale update(s), offset now %d",
len(pending), drain_offset,
@@ -1032,8 +1031,8 @@ async def run_bot_loop() -> None:
params: dict = {"timeout": 25}
if offset is not None:
params["offset"] = offset
async with httpx.AsyncClient(timeout=35) as client:
r = await client.get(url, params=params)
from app.services.http_client import get_client
r = await get_client().get(url, params=params, timeout=35)
if r.status_code != 200:
logger.warning("Telegram getUpdates HTTP %d: %s", r.status_code, r.text[:200])
await asyncio.sleep(backoff)
+2 -3
View File
@@ -33,7 +33,6 @@ import urllib.parse
from datetime import datetime, timezone
from typing import Optional
import httpx
from sqlalchemy import select
from app.config import settings
@@ -146,8 +145,8 @@ async def _post_tweet(text: str, reply_to: Optional[str] = None) -> Optional[str
"Content-Type": "application/json",
}
try:
async with httpx.AsyncClient(timeout=10) as client:
resp = await client.post(TWEET_URL, json=payload, headers=headers)
from app.services.http_client import get_client
resp = await get_client().post(TWEET_URL, json=payload, headers=headers, timeout=10)
if resp.status_code in (200, 201):
_record_sent()
tid = resp.json().get("data", {}).get("id")