fix: resolve 13 important issues from code review

I1: Add graceful shutdown (SIGTERM/SIGINT) to all 5 background services I2: Fix Dockerfile healthcheck to use curl on /metrics endpoint I3: Fix StreamConsumer.ensure_group() to only catch BUSYGROUP errors I4: Fix SimulatedBroker to reject orders with insufficient cash/shares I5: Move ORM attribute access inside DB session context in trades routes I6: Add Redis-based rate limiting (10 req/min/IP) on all auth endpoints I8: Prevent backtest background task garbage collection I9: Use Numeric(16,6) instead of Float for financial columns in migration I10: Add index on trades.created_at for time-range queries I11: Bind infrastructure ports to 127.0.0.1 in docker-compose I12: Add migrations init service; all app services depend on it I13: Fix user enumeration in login_begin (return options for non-existent users)
2026-02-22 17:58:01 +00:00 · 2026-02-22 17:58:01 +00:00 · 5a6b20c8f1
commit 5a6b20c8f1
parent 2a56727267
13 changed files with 355 additions and 188 deletions
--- a/services/api_gateway/routes/backtest.py
+++ b/services/api_gateway/routes/backtest.py
@ -17,6 +17,9 @@ logger = logging.getLogger(__name__)

 router = APIRouter(prefix="/api/backtest", tags=["backtest"])

+# Store references to background tasks to prevent garbage collection
+_background_tasks: set[asyncio.Task] = set()
+

 class BacktestRequest(BaseModel):
    """Request body for starting a new backtest."""
@ -56,8 +59,10 @@ async def run_backtest(
        }),
    )

-    # Launch background task
-    asyncio.create_task(_run_backtest_task(run_id, body, redis))
+    # Launch background task (stored in set to prevent GC)
+    task = asyncio.create_task(_run_backtest_task(run_id, body, redis))
+    _background_tasks.add(task)
+    task.add_done_callback(_background_tasks.discard)

    return {"run_id": run_id, "status": "running"}

--- a/services/api_gateway/routes/trades.py
+++ b/services/api_gateway/routes/trades.py
@ -67,27 +67,27 @@ async def list_trades(
        result = await session.execute(query)
        trades = result.scalars().all()

-    return {
-        "trades": [
-            {
-                "id": str(t.id),
-                "ticker": t.ticker,
-                "side": t.side.value,
-                "qty": t.qty,
-                "price": t.price,
-                "status": t.status.value,
-                "pnl": t.pnl,
-                "strategy_id": str(t.strategy_id) if t.strategy_id else None,
-                "signal_id": str(t.signal_id) if t.signal_id else None,
-                "created_at": t.created_at.isoformat() if t.created_at else None,
-            }
-            for t in trades
-        ],
-        "total": total,
-        "page": page,
-        "per_page": per_page,
-        "pages": (total + per_page - 1) // per_page if per_page else 0,
-    }
+        return {
+            "trades": [
+                {
+                    "id": str(t.id),
+                    "ticker": t.ticker,
+                    "side": t.side.value,
+                    "qty": t.qty,
+                    "price": t.price,
+                    "status": t.status.value,
+                    "pnl": t.pnl,
+                    "strategy_id": str(t.strategy_id) if t.strategy_id else None,
+                    "signal_id": str(t.signal_id) if t.signal_id else None,
+                    "created_at": t.created_at.isoformat() if t.created_at else None,
+                }
+                for t in trades
+            ],
+            "total": total,
+            "page": page,
+            "per_page": per_page,
+            "pages": (total + per_page - 1) // per_page if per_page else 0,
+        }


@router.get("/{trade_id}")
@ -105,21 +105,21 @@ async def get_trade(
            await session.execute(select(Trade).where(Trade.id == trade_id))
        ).scalar_one_or_none()

-    if trade is None:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail="Trade not found",
-        )
+        if trade is None:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="Trade not found",
+            )

-    return {
-        "id": str(trade.id),
-        "ticker": trade.ticker,
-        "side": trade.side.value,
-        "qty": trade.qty,
-        "price": trade.price,
-        "status": trade.status.value,
-        "pnl": trade.pnl,
-        "strategy_id": str(trade.strategy_id) if trade.strategy_id else None,
-        "signal_id": str(trade.signal_id) if trade.signal_id else None,
-        "created_at": trade.created_at.isoformat() if trade.created_at else None,
-    }
+        return {
+            "id": str(trade.id),
+            "ticker": trade.ticker,
+            "side": trade.side.value,
+            "qty": trade.qty,
+            "price": trade.price,
+            "status": trade.status.value,
+            "pnl": trade.pnl,
+            "strategy_id": str(trade.strategy_id) if trade.strategy_id else None,
+            "signal_id": str(trade.signal_id) if trade.signal_id else None,
+            "created_at": trade.created_at.isoformat() if trade.created_at else None,
+        }