The following considerations were identified by specialist reviewers before drafting began. Use these as context — they should inform but not constrain your design. Where lenses contradict, use your own judgement to resolve. --- ## Security Lens **Include:** - API key scoping and rotation policy for exchange credentials: Binance/exchange API keys should be restricted to trade-only (no withdrawal permissions) and stored exclusively in secrets.env with chmod 600, so that key exposure cannot result in fund drain beyond the paper/live trading balance. - Trust boundary validation between variants and the shared PostgreSQL instance: each of the four variant LXCs should authenticate to its own DB user with write access scoped to its own schema only, preventing a compromised or buggy variant from corrupting another variant's positions or symbol_protections table. - Signal-injection and order-spoofing protection on the micro-scanner intake path: any external price/signal feed entering the bot must be validated for plausible range and authenticated, since a spoofed signal on TSTUSDT/DOGSUSDT could fabricate the high-confidence entries that are currently triggering hard_stop exits at scale. **Exclude:** - General OWASP web-application controls (XSS, CSRF, SQL injection via web forms): Sigil has no user-facing HTTP interface — the attack surface is purely API keys, DB credentials, and inter-process data; web-layer hardening is irrelevant. - TLS certificate management or HTTPS termination hardening: all inter-LXC communication is on the private LAN and the exchange API is HTTPS by default; adding a separate TLS layer to internal PostgreSQL connections is out of scope for a paper-trading improvement cycle. - Two-factor authentication or OAuth flows for operator access: the bot is headless and operator access is via SSH with existing controls; redesigning human-authentication is not relevant to stopping hard_stop trading losses. --- ## Robustness Lens **Include:** - **Position deduplication enforcement at signal generation, not just execution**: The re-entry cooldown writing to `symbol_protections` is being bypassed because the guard is applied too late in the pipeline — new signals are generated for symbols already holding open positions, and by the time execution checks the protection record, multiple entries have accumulated; the guard must be a pre-signal gate, not a pre-execution gate. - **Unhinged scheduler lifecycle validation with dead-man circuit breaker**: Zero signals in 7 days with 144 open positions is a resource lifecycle failure — the scanner process or scheduler cron is silently dead while the position manager keeps running, creating an uncloseable exposure; any variant must detect "no signals produced in N hours" and halt new position opening or page for intervention. - **ATR-relative stop distance validation before entry**: A hard_stop firing at 7-10× the atr_trail win magnitude indicates the stop is placed inside normal ATR noise for these coins — each entry must assert that `stop_distance >= k * ATR(14)` at the moment of entry, rejecting trades where the stop is too tight to survive routine volatility on the specific symbol. **Exclude:** - **Cross-pollination pattern adoption without failure-mode mapping**: Borrowing freqtrade/jesse/hummingbot entry or sizing patterns is only safe after confirming they solve the specific hard_stop + multi-position failure modes, not as general improvements — importing untested patterns onto a broken baseline risks masking root causes. - **Unhinged variant continued operation in current state**: Designing improvements that treat unhinged as a functioning comparison point is invalid — 144 frozen positions with zero signal generation means its data is noise, not signal; it must be diagnosed and reset (or disabled) before it informs any design decision. - **symbol_protections extended-ban tuning without fixing the multi-position entry gap**: Tweaking `ban_until` durations and cooldown windows addresses a downstream symptom; until the upstream gap (signals generated for already-open symbols) is closed, ban duration changes will have no effect on position accumulation per symbol. --- ## Ops Lens # Pre-Seed: Ops Lens **Include:** - **Dead-variant detection alerting:** Unhinged has run 0 signals for 7 days with 144 open positions and no alert fired — any design must include a liveness check (signal count threshold over a rolling window) that pages or at least logs CRITICAL when a variant goes dark, so this class of failure doesn't survive another week undetected. - **Open-position state hygiene on restart/deploy:** With 144 stale open positions on unhinged and multi-position accumulation on baseline, any fix or new layer deployment must reconcile the `positions` table against real open state before resuming signal generation, or the hygiene fix will be applied to a corrupt baseline and produce misleading paper results. - **Atomic schema migration gate in CI/deploy path:** Layers C/D/F introduce new migrations on top of schema v013 — the deploy process must enforce migration idempotency and a rollback path per-variant so that a bad migration on one LXC doesn't corrupt the others and invalidate the 30-day graduation dataset. **Exclude:** - **Cross-variant DB joins or shared state:** Each variant runs an isolated DB (sigil, sigil_moderate, sigil_aggressive, sigil_unhinged) — any design that introduces cross-variant coordination at the DB layer adds operational coupling that makes per-variant rollback and graduation gating impossible. - **Live-trading deployment paths or credential wiring:** The graduation gate is explicitly 30-day paper-positive; including live-mode infra work now creates operational surface area (API keys, order routing, exchange connectivity) that has no paper-trading value and raises the blast radius of any 3am incident. - **Centralised log aggregation rework:** Adding a new log pipeline (e.g., Loki shipper changes, new exporters) as part of this fix scope would be a deployment dependency that could block the core hard_stop investigation and delay the paper-trading reset window.