Automation/bot auto pr

[VirilePeak]

Note

High Risk
Touches trade execution and risk gating (including kill-switch persistence) and adds an automated deploy workflow, so misconfiguration or logic errors could affect live trading/deploy safety.

Overview
Adds a new low-latency “fast entry” trading path via FastEntryEngine, including sliding-window dislocation detection, immediate “leg1” entry execution, timing guards for 5m/15m BTC up/down markets, latency logging, and hooks for later confirmation/hedge/exit actions.

Introduces core trade lifecycle infrastructure (PositionManager, RiskManager, LatencyStats, TradeMetricsTracker) with market-level locks, idempotency + persistence, fast-exit A/B logic, kill-switch persistence (data/risk_state.json), and a hard gate that forces entries through src/order_executor.place_entry_order_with_gate() (enforced by Polymarket.execute_order(gate_checked=...)).

Adds a market-data subsystem (adapter/cache/event bus/providers + FastAPI health/metrics/admin routes) and updates docs/settings to reflect debug endpoints and timeframe controls.

Separately, adds/updates repo automation and deployment: new CI workflow, a bot draft-PR workflow, optional SSH/rsync deploy-on-merge using .deployignore, CodeQL monitoring/commenting workflows, dependency-review tweaks, plus .gitignore/requirements platform markers and a handful of helper scripts.

^{Written by Cursor Bugbot for commit 2dad940. This will update automatically on new commits. Configure here.}

[github-actions]

Welcome to Polymarket Agents. Thank you for creating your first PR. Cheers!

[VirilePeak]

ok

[VirilePeak]

Hi maintainers — PR #197 is from a fork and the GitHub Actions workflow is awaiting approval.
Could someone please click “Approve workflows to run” so the checks can execute? Thank you!

[VirilePeak]

ok

[VirilePeak]

Hi maintainers — this PR triggers 3 GitHub Actions workflows that are awaiting approval.
Could someone with write access please click “Approve workflows to run” so the checks can execute? Thanks!

[VirilePeak]

Hi maintainers — this PR adds the automation workflows for bot maintenance/updates.
Security note: the deploy workflow is optional and only runs on merge / required conditions (no secrets are exposed in PR context).
GitHub shows “3 workflows awaiting approval” — could someone with write access please click “Approve workflows to run” so CI can execute?
Happy to split deploy vs. bot-auto PR if you prefer.

[cursor]

Latency recorder called with wrong arguments

High Severity

FastEntryEngine calls self.latency_stats.record() with three values, but LatencyStats.record accepts only two. This raises a runtime TypeError during successful Leg1 execution and drops into the failure path, so entries can be marked failed after order placement.

Additional Locations (1)

• agents/application/latency_stats.py#L22-L27

 

[cursor]

WebSocket mode cannot initialize correctly

Medium Severity

FastEntryEngine imports WEBSOCKETS_AVAILABLE and later calls self.ws_client.start(...), but agents/polymarket/websocket_client.py defines neither WEBSOCKETS_AVAILABLE nor start/stop. The use_websocket path is effectively broken and cannot run as implemented.

Additional Locations (2)

• agents/polymarket/websocket_client.py#L16-L27
• agents/application/fast_entry_engine.py#L734-L736

 

[cursor]

Latency stats logging method is missing

Medium Severity

FastEntryEngine calls self.latency_stats.log_stats(...), but LatencyStats does not implement log_stats. Once leg1_filled reaches the logging interval, this raises AttributeError inside _execute_leg1 and diverts the success path into error handling.

Additional Locations (1)

• agents/application/latency_stats.py#L14-L46

 

[cursor]

Active entries never removed from memory

Medium Severity

Each Leg1 attempt is stored in self.active_entries, but there is no removal on fill, failure, timeout, or stop. This creates unbounded in-memory growth and makes get_stats() report ever-increasing active_entries that no longer represent active state.

 

[cursor]

Entry gate enforcement is silently bypassed

High Severity

execute_order raises when ENTRY_GATE_ENFORCE_POLY is enabled and gate_checked is false, but that RuntimeError is immediately swallowed by the surrounding except Exception. This makes the enforcement path ineffective and still submits the order.

 

[cursor]

Deploy secret validation misses required fields

Medium Severity

The deploy gate only checks DEPLOY_HOST and DEPLOY_SSH_KEY, but deployment later requires DEPLOY_USER and DEPLOY_TARGET too. The workflow can proceed with incomplete configuration and run rsync with empty destination components, causing avoidable deploy failures.

Additional Locations (1)

• .github/workflows/deploy-on-merge.yml#L79-L84

 

[cursor]

Fast exit IDs can collide across trades

Medium Severity

evaluate_fast_exit builds exit_request_id values from only reason and timestamp, so simultaneous exits can share the same ID. In exit_trade, idempotency is checked after trade.closing is set, so a collided ID can make a different trade return early as already handled while staying stuck in closing state.

Additional Locations (2)

• agents/application/position_manager.py#L760-L768
• agents/application/position_manager.py#L373-L374

 

[cursor]

Test failures do not block PR creation

Medium Severity

The lint and test steps use || true, so failures in black, flake8, or pytest do not fail the test-and-lint job. create-pr still runs via needs, allowing automated PRs to be created even when checks fail.

 

[cursor]

Cursor Bugbot has reviewed your changes and found 8 potential issues.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before Autofix could start.}

[cursor]

Falsy-check on best_bid/best_ask drops valid zero prices

Medium Severity

best_bid or price and best_ask or price use truthiness to fall back to price, but 0.0 is a valid Polymarket price that is falsy. This silently replaces legitimate 0.0 bid/ask values. The code above correctly uses is not None checks, but these lines undo that care.

 

[cursor]

OrderBookUpdate missing fields used in WebSocket callback

High Severity

OrderBookUpdate only defines bids and asks fields, but the WebSocket callback in FastEntryEngine accesses update.mid_price, update.timestamp_ms, update.best_bid, update.best_ask, and update.token_id. These attributes don't exist on the dataclass, so WebSocket mode will crash with AttributeError on every update.

Additional Locations (1)

• agents/application/fast_entry_engine.py#L700-L711

 

[cursor]

Hardcoded local Windows path in aggregate script

Medium Severity

base = Path("c:/Users/sefa1/agents") is a hardcoded local Windows filesystem path. This script will silently find no files on any other machine, making it non-functional for all other developers and in CI.

 

[cursor]

Local workspace file committed with developer-specific paths

Low Severity

This workspace file references relative paths to a sibling directory (../polymarket_btc_bot/polymarket_btc_bot) and a virtual environment (../.venv), which are specific to a developer's local setup. This file and the duplicate newagents.code-workspace / agents.code-workspace appear to be personal IDE configuration that doesn't belong in the repository.

 

[cursor]

Market lock only blocks PENDING, not other active states

High Severity

The market lock in create_trade only prevents new trades when the existing trade's status is PENDING. If a trade has been confirmed, sized up (ADDED), or hedged (HEDGED), a new trade is created for the same market, overwriting market_locks. This orphans the existing active trade's lock reference, and when the old trade exits it deletes the new trade's lock entry, corrupting state.

 

[cursor]

Admin subscribe endpoint missing authentication check

Medium Severity

The /market-data/admin/subscribe endpoint has no DEBUG_ENDPOINTS_ENABLED or token authentication check, unlike the sibling admin endpoints /market-data/subscriptions and /market-data/admin/discover-subscribe which both enforce _require_debug_access. Any unauthenticated caller can trigger subscriptions to arbitrary token IDs.

 

[cursor]

Deploy rsync --delete destroys runtime state files on target

High Severity

The rsync --delete command removes target-side files that aren't in the source checkout and aren't excluded. Runtime state files like position_state.json, paper_trades.jsonl, pending_confirmations.json, and data/risk_state.json are not listed in .deployignore, are not in git (gitignored), and therefore don't exist in the source. Every deploy would wipe all active trade state, paper trade history, risk kill-switch state, and pending confirmations from the production server.

Additional Locations (1)

• .deployignore#L1-L28

 

[cursor]

BTC timeframe env vars documented but never loaded

Medium Severity

_load_from_env is missing set_if calls for BTC_UPDOWN_TIMEFRAME_MINUTES, BTC_UPDOWN_ENABLE_5M, and MARKET_DATA_RTDS_ENABLED (among others), even though the README documents them as environment-configurable. Setting BTC_UPDOWN_TIMEFRAME_MINUTES=5 in the environment has no effect — the bot always uses 15-minute markets. Similarly, MARKET_DATA_RTDS_ENABLED=0 cannot disable the RTDS provider, which defaults to enabled.

Additional Locations (1)

• README.md#L18-L31