randebu/docs/AUDIT_REPORT.md

Randebu Trading Bot - Product & Technical Audit Report

Date: 2026-04-09
Phase: Phase 1 Implementation Complete - Pre-Testing Review
Purpose: Document current state, issues found, and recommendations for next steps

---

1. Product Overview

1.1 What is Randebu?

Randebu is an AI-powered trading bot platform where users create and manage automated trading strategies through natural language chat—similar to ChatGPT, but specialized for creating trading bots.

1.2 Core User Flow

User Registration → Create Bot → Chat with AI to Define Strategy 
    → Backtest Strategy → Simulate Trading → (Future) Live Trading

1.3 Phase 1 Scope

Feature	Status
BNB Chain only	✅ Intended (not yet enforced)
Backtest engine	✅ Implemented
Simulation engine	✅ Implemented
Natural language strategy parsing	✅ Implemented
User authentication	✅ Implemented
Multi-bot support (max 3)	✅ Implemented
Dummy wallet (database record)	✅ Implemented

1.4 Tech Stack

Layer	Technology
Frontend	Svelte 5 + TypeScript
Backend	Python FastAPI
AI Agent	CrewAI + MiniMax LLM
Database	SQLite
Trading Data	AVE Cloud API

---

2. Critical Issues (Must Fix Before Testing)

These issues will cause complete pipeline failure if not addressed.

2.1 Database Tables Never Created

Location: src/backend/app/main.py, src/backend/run.py

Problem: The application starts but never creates the database tables. There is no:

• Alembic migration setup
• Base.metadata.create_all() call on startup
• Database initialization script

Impact: First database operation will fail with "table not found" error.

Current State:

# core/database.py defines Base, but nothing calls:
# Base.metadata.create_all(engine)

Fix Required: Add database initialization on application startup.

---

2.2 Strategy Config Schema Mismatch

Location: Multiple files - see mapping below

Problem: The LLM outputs one schema format, but the backtest and simulation engines expect a completely different format. This is a complete pipeline break - strategies parsed by AI will never trigger any trades in backtesting.

Schema Flow Diagram

┌─────────────────────────────────────────────────────────────────────────┐
│ LLM OUTPUT (llm_connector.py) - What AI actually produces             │
├─────────────────────────────────────────────────────────────────────────┤
│ {                                                                       │
│   "type": "price_drop",                                                │
│   "params": {                                                          │
│     "token": "PEPE",                                                   │
│     "threshold_percent": 5                                             │
│   }                                                                    │
│ }                                                                       │
└─────────────────────────────────────────────────────────────────────────┘
                                  │
                                  ▼
┌─────────────────────────────────────────────────────────────────────────┐
│ BACKEND VALIDATOR (crew.py - StrategyValidator.validate())             │
├─────────────────────────────────────────────────────────────────────────┤
│ # Validator expects params.threshold_percent - THIS WORKS              │
│ if "threshold_percent" not in params:                                  │
│     errors.append(f"Condition {i}: missing 'threshold_percent'")       │
└─────────────────────────────────────────────────────────────────────────┘
                                  │
                                  ▼ (But engines look for flat fields)
┌─────────────────────────────────────────────────────────────────────────┐
│ BACKTEST ENGINE (services/backtest/engine.py - _check_condition())     │
├─────────────────────────────────────────────────────────────────────────┤
│ # What engine actually looks for:                                      │
│ threshold = condition.get("threshold", 0)    # ❌ Returns 0!          │
│ token = condition.get("token")                # ❌ Wrong path!         │
│ timeframe = condition.get("timeframe")        # ❌ Not in params!     │
│                                                                          │
│ # Result: Conditions NEVER trigger because field names don't match     │
└─────────────────────────────────────────────────────────────────────────┘
                                  │
                                  ▼
┌─────────────────────────────────────────────────────────────────────────┐
│ SIMULATE ENGINE (services/simulate/engine.py - _check_condition())    │
├─────────────────────────────────────────────────────────────────────────┤
│ # Same issue as backtest engine                                        │
│ threshold = condition.get("threshold", 0)    # ❌ Returns 0            │
└─────────────────────────────────────────────────────────────────────────┘
                                  │
                                  ▼
┌─────────────────────────────────────────────────────────────────────────┐
│ FRONTEND TYPES (src/frontend/src/lib/api/types.ts)                    │
├─────────────────────────────────────────────────────────────────────────┤
│ interface Condition {                                                  │
│   type: 'price_drop' | 'price_rise' | 'volume_spike' | 'price_level';│
│   token: string;                    # Flat - no params wrapper        │
│   threshold?: number;               # Not threshold_percent!          │
│   timeframe?: string;               # Exists here                    │
│ }                                                                       │
└─────────────────────────────────────────────────────────────────────────┘

Field Mapping Table

Component	Token Field	Threshold Field	Timeframe Field
LLM Output	params.token	params.threshold_percent	N/A
Validator	params.token	params.threshold_percent	N/A
Backtest Engine	token	threshold	timeframe
Simulate Engine	token	threshold	timeframe
Frontend Types	token	threshold	timeframe

Fix Required: Normalize to ONE consistent schema across the entire pipeline. Recommended: Use the flat structure (token, threshold, timeframe) as it's simpler and already used by engines and frontend.

---

2.3 Bot Creation Will Fail

Location:

• src/backend/app/db/schemas.py (BotCreate)
• src/frontend/src/lib/api/client.ts (bots.create)

Problem:

Issue	Details
Backend requires	strategy_config: dict (REQUIRED)
Backend requires	llm_config: dict (REQUIRED)
Frontend sends	Only name and optional description

Impact: Users cannot create bots through the frontend - API will return validation error.

Fix Required: Either:

1. Make strategy_config and llm_config optional in backend with default values
2. OR update frontend to send default config values

---

2.4 Config Endpoints Return Empty Data

Location: src/backend/app/api/config.py

@router.get("/chains")
def get_chains():
    return {"chains": []}  # ❌ Always empty

@router.get("/tokens")
def get_tokens():
    return {"tokens": []}  # ❌ Always empty

Impact: Frontend cannot populate dropdowns for chain/token selection.

Fix Required: Return BSC (BNB Chain) as the only supported chain in Phase 1, and query AVE API for available tokens.

---

3. Major Issues

3.1 Risk Management Not Implemented

Location:

• src/backend/app/db/models.py (schema supports it)
• src/backend/app/services/backtest/engine.py
• src/backend/app/services/simulate/engine.py

Problem: The database schema and frontend UI support risk_management configuration:

interface RiskManagement {
    stop_loss_percent?: number;
    take_profit_percent?: number;
}

However, neither the backtest nor simulation engines actually check or use stop-loss/take-profit logic during trade execution. The config is saved but ignored.

Fix Required: Implement actual stop-loss and take-profit checks in both engines.

---

3.2 Duplicate AveCloudClient Implementations

Location:

• src/backend/app/services/ave/client.py
• src/backend/app/services/backtest/ave_client.py

Problem: Two different AveCloudClient classes with different methods:

services/ave/client.py	services/backtest/ave_client.py
get_tokens()	❌ Missing
get_batch_prices()	✅ get_batch_prices()
get_token_details()	❌ Missing
get_klines()	✅ get_klines()
get_trending_tokens()	❌ Missing
get_token_risk()	❌ Missing
get_chain_quote()	❌ Missing
get_chain_swap()	❌ Missing
❌ Missing	get_token_price()

Additionally, the simulate engine imports from the wrong location:

# services/simulate/engine.py
from ..backtest.ave_client import AveCloudClient  # ❌ Wrong import

Fix Required: Consolidate into ONE AveCloudClient class.

---

3.3 Silent Error Handling in Simulation

Location: src/backend/app/services/simulate/engine.py

try:
    # ... API calls ...
except Exception as e:
    pass  # ❌ Silently swallows ALL errors!

Impact: If AVE API fails or returns bad data, the simulation continues silently with no logging or user feedback.

Fix Required: Add proper error logging and user-facing error messages.

---

3.4 No Chain Validation for Phase 1

Problem: You mentioned limiting to BNB Chain only for Phase 1, but:

• No backend validation enforces this
• Users can specify any chain in backtest/simulate config
• The config endpoints return empty arrays

Fix Required: Add chain validation that only allows "bsc" for Phase 1.

---

3.5 In-Memory Token Blacklist

Location: src/backend/app/api/auth.py

TOKEN_BLACKLIST = set()  # ❌ In-memory only

Problems:

• Resets when server restarts
• Doesn't work with multiple workers/processes
• Logout doesn't truly invalidate tokens in production

Fix Required: Use Redis or database-backed token blacklist for production.

---

3.6 Conversation History Not Passed to Crew

Location: src/backend/app/api/bots.py

history_for_crew = conversation_history[-10:]  # Gets history
crew = get_trading_crew()                      # ❌ Doesn't pass history!
result = crew.chat(user_message, history_for_crew)

The history is fetched but not actually used by the agent - each chat starts fresh.

Fix Required: Pass conversation history to the crew agent.

---

3.7 No Rate Limiting Applied

Location: src/backend/app/main.py

app.state.limiter = limiter  # Set up but not used on most endpoints

The rate limiter is initialized but only applied to the login endpoint. Other endpoints have no protection.

Fix Required: Apply rate limiting to sensitive endpoints.

---

3.8 CORS Wide Open

Location: src/backend/app/main.py

allow_origins=["*"]  # ❌ Should be restricted to frontend domain

Fix Required: Limit CORS to the frontend domain in production.

---

3.9 No WebSocket for Real-Time Updates

Problem: Users must poll the API to see:

• Backtest progress
• Simulation signals (new signals only appear on refresh)

Impact: Poor UX during long-running operations.

Fix Required: Add WebSocket support for real-time updates (Phase 2 or later).

---

4. Minor Issues

4.1 Unused Dependencies

Location: src/backend/requirements.txt

anthropic>=0.18.0  # Included but project uses MiniMax

Fix Required: Remove unused dependency.

---

4.2 Missing .env Example

Problem: No .env.example file to guide deployment.

Fix Required: Create .env.example with all required variables documented.

---

4.3 No Input Sanitization

User-provided data (bot names, chat messages) isn't sanitized before storage or display.

Fix Required: Add input validation and sanitization.

---

4.4 Inconsistent Error Responses

Some endpoints return {"detail": "..."} (FastAPI default), others return custom error shapes.

Fix Required: Standardize error response format.

---

4.5 No Integration Tests

No tests that verify the full pipeline (chat → config → backtest).

Fix Required: Add integration tests.

---

5. Missing Documentation Files

The following should be created:

1. .env.example - All environment variables with descriptions
2. docs/STRATEGY_SCHEMA.md - Single source of truth for strategy config schema
3. docs/API_SCHEMA.md - API contract documentation
4. init_db.py - Database initialization script

---

6. Recommendations Summary

Priority Matrix

Priority	Issue	Effort	Impact
P0	Database tables not created	Small	App crashes on startup
P0	Bot creation fails	Small	Users can't create bots
P0	Strategy schema mismatch	Medium	Backtesting completely broken
P0	Config endpoints empty	Small	No chain/token selection
P1	Risk management not implemented	Medium	No stop-loss/take-profit
P1	Chain validation missing	Small	Can use non-BSC chains
P1	Silent error handling	Small	Hard to debug issues
P2	Duplicate AveCloudClient	Medium	Maintenance burden
P2	CORS restricted	Small	Security hardening
P2	Token blacklist (production)	Medium	Security
P2	Rate limiting	Medium	DoS protection
P3	WebSocket support	Large	UX improvement
P3	Integration tests	Medium	Code quality

---

7. AVE Cloud Integration Notes

Rate Limit Strategy

Tier	TPS	Recommended Approach
Free	1	Aggressive caching, batch requests
Normal	5	Moderate caching
Pro	20	Minimal caching

Caching Recommendations

1. Token prices: Cache for 30-60 seconds
2. Trending tokens: Cache for 5-10 minutes
3. Token details: Cache for 5-10 minutes
4. Risk assessments: Cache for 15-30 minutes

No Testnet Warning

AVE Cloud has no testnet. All API calls use real money:

• Use quote/dry-run mode for testing
• Start with minimal amounts ($1-10)
• Contact AVE support about sandbox options

---

8. Next Steps

Immediate (Before Testing)

1. Add database initialization to startup
2. Fix bot creation (frontend or backend)
3. Normalize strategy schema - Choose flat structure, update all components
4. Populate config endpoints with BSC + default tokens
5. Add BSC-only chain validation

Short Term

6. Implement risk management (stop-loss/take-profit)
7. Consolidate AveCloudClient
8. Add proper error handling
9. Create .env.example
10. Add input sanitization

Medium Term

11. Add WebSocket for real-time updates
12. Implement production token blacklist (Redis)
13. Apply rate limiting
14. Restrict CORS
15. Add integration tests

---

9. Files Reference

Key Backend Files

File	Purpose
src/backend/app/main.py	FastAPI app initialization
src/backend/app/api/bots.py	Bot CRUD + chat endpoint
src/backend/app/api/backtest.py	Backtest API
src/backend/app/api/simulate.py	Simulation API
src/backend/app/api/ave.py	AVE Cloud proxy endpoints
src/backend/app/api/config.py	Config endpoints
src/backend/app/db/schemas.py	Pydantic schemas
src/backend/app/db/models.py	SQLAlchemy models
src/backend/app/services/ai_agent/crew.py	CrewAI agents
src/backend/app/services/ai_agent/llm_connector.py	MiniMax LLM
src/backend/app/services/backtest/engine.py	Backtest logic
src/backend/app/services/simulate/engine.py	Simulation logic
src/backend/app/services/ave/client.py	AVE Cloud client

Key Frontend Files

File	Purpose
src/frontend/src/lib/api/client.ts	API client
src/frontend/src/lib/api/types.ts	TypeScript types
src/frontend/src/routes/bot/[id]/+page.svelte	Bot chat page
src/frontend/src/routes/bot/[id]/backtest/+page.svelte	Backtest page
src/frontend/src/routes/bot/[id]/simulate/+page.svelte	Simulation page
src/frontend/src/lib/components/ChatInterface.svelte	Chat UI
src/frontend/src/lib/components/StrategyPreview.svelte	Strategy display

---

10. Audit Complete

This audit was conducted by reviewing:

• All source code in src/backend/ and src/frontend/
• Documentation in docs/
• Database models and schemas
• API endpoints and their implementations

The product has a solid architectural foundation and addresses a real market need. The core issues are manageable - primarily schema standardization and missing initialization code.

---

End of Audit Report