critical: Bug #82 LONG-TERM FIX - Comprehensive position verification

REPLACES emergency disable with intelligent verification: 1. Position Identity Verification: - Compares DB exitTime vs active trade timestamps - Verifies size matches within 15% tolerance - Verifies direction matches (long/short) - Checks entry price matches within 2% 2. Grace Period Enforcement: - 10-minute wait after DB exit before attempting close - Allows Drift state propagation 3. Safety Checks: - Cooldown (5 min) prevents retry loops - Protection logging when position skipped - Fail-open bias: when uncertain, do nothing 4. Test Coverage: - 8 test scenarios covering active position protection - Verified ghost closure tests - Edge case handling tests - Fail-open bias validation Files: - lib/monitoring/drift-state-verifier.ts (276 lines added) - tests/integration/drift-state-verifier/position-verification.test.ts (420 lines) User can now rely on automatic orphan cleanup without risk of accidentally closing active positions. System protects newer trades when old database records exist for same symbol. Deployed: Dec 10, 2025 ~11:25 CET
2025-12-10 11:58:27 +01:00
parent 400ab7f243
commit 9e78761648
2 changed files with 732 additions and 92 deletions
--- a/lib/monitoring/drift-state-verifier.ts
+++ b/lib/monitoring/drift-state-verifier.ts
@@ -16,6 +16,7 @@ import { getDriftService } from '../drift/client'
 import { getPrismaClient } from '../database/trades'
 import { closePosition } from '../drift/orders'
 import { sendTelegramMessage } from '../notifications/telegram'
+import { Prisma } from '@prisma/client'

 export interface DriftStateMismatch {
  tradeId: string
@@ -218,114 +219,331 @@ class DriftStateVerifier {

  /**
   * Retry closing a position that should be closed but isn't
-   * BUG #80 FIX: Enhanced cooldown enforcement to prevent retry loops
+   * BUG #82 LONG-TERM FIX (Dec 10, 2025): Comprehensive position verification
+   * 
+   * CRITICAL SAFETY CHECKS:
+   * 1. Verify Drift position exists and matches DB record
+   * 2. Check position freshness: is it NEWER than DB exit time?
+   * 3. Verify size/direction alignment within tolerance
+   * 4. Grace period: wait 10+ minutes after DB exit before acting
+   * 5. Fail-open bias: when in doubt, do nothing and alert
   */
  private async retryClose(mismatch: DriftStateMismatch): Promise<void> {
-    console.log(`🔄 Retrying close for ${mismatch.symbol}...`)
+    console.log(`🔄 Analyzing close candidate for ${mismatch.symbol}...`)

    try {
-      // BUG #80 FIX: Check in-memory cooldown map first (faster than DB query)
-      const lastAttemptTime = this.recentCloseAttempts.get(mismatch.symbol)
-      
-      if (lastAttemptTime) {
-        const timeSinceAttempt = Date.now() - lastAttemptTime
-        
-        if (timeSinceAttempt < this.COOLDOWN_MS) {
-          const remainingCooldown = Math.ceil((this.COOLDOWN_MS - timeSinceAttempt) / 1000)
-          console.log(`   ⏸️ COOLDOWN ACTIVE: Last attempt ${(timeSinceAttempt / 1000).toFixed(0)}s ago`)
-          console.log(`   ⏳ Must wait ${remainingCooldown}s more before retry (5min cooldown)`)
-          console.log(`   📊 Cooldown map state: ${Array.from(this.recentCloseAttempts.entries()).map(([s, t]) => `${s}:${Date.now()-t}ms`).join(', ')}`)
-          return
-        } else {
-          console.log(`   ✅ Cooldown expired (${(timeSinceAttempt / 1000).toFixed(0)}s since last attempt)`)
-        }
+      // STEP 1: Cooldown enforcement (prevents retry spam)
+      const cooldownCheck = await this.checkCooldown(mismatch.symbol)
+      if (!cooldownCheck.canProceed) {
+        console.log(`   ⏸️ ${cooldownCheck.reason}`)
+        return
      }
-      
-      // ALSO check database for persistent cooldown tracking (survives restarts)
+
+      // STEP 2: Load full trade context from database
      const prisma = getPrismaClient()
-      const trade = await prisma.trade.findUnique({
+      const dbTrade = await prisma.trade.findUnique({
        where: { id: mismatch.tradeId },
-        select: { 
-          exitOrderTx: true,
+        select: {
+          id: true,
+          symbol: true,
+          direction: true,
+          entryTime: true,
+          exitTime: true,
          exitReason: true,
-          configSnapshot: true 
+          positionSizeUSD: true,
+          entryPrice: true,
+          configSnapshot: true,
        }
      })
-      
-      if (trade?.configSnapshot) {
-        const snapshot = trade.configSnapshot as any
-        const lastRetryTime = snapshot.retryCloseTime ? new Date(snapshot.retryCloseTime) : null
+
+      if (!dbTrade) {
+        console.warn(`   ⚠️ SAFETY: Trade ${mismatch.tradeId} not found in DB - skipping`)
+        return
+      }
+
+      // STEP 3: Verify Drift position exists and get full details
+      const driftService = await getDriftService()
+      const marketIndex = this.getMarketIndex(dbTrade.symbol)
+      if (marketIndex === null) {
+        console.warn(`   ⚠️ SAFETY: Unknown market ${dbTrade.symbol} - skipping`)
+        return
+      }
+
+      const driftPosition = await driftService.getPosition(marketIndex)
+      if (!driftPosition || Math.abs(driftPosition.size) < 0.01) {
+        console.log(`   ✅ RESOLVED: Position already closed on Drift`)
+        return
+      }
+
+      // STEP 4: CRITICAL VERIFICATION - Check if this is a NEW position
+      const verificationResult = await this.verifyPositionIdentity({
+        dbTrade,
+        driftPosition,
+        mismatch,
+      })
+
+      console.log(`\n   📊 VERIFICATION DECISION:`, JSON.stringify(verificationResult, null, 2))
+
+      if (!verificationResult.isOldGhost) {
+        console.warn(`   ⚠️ PROTECTION TRIGGERED: ${verificationResult.reason}`)
+        console.warn(`   🛡️ Skipping close to protect potentially active position`)
        
-        if (lastRetryTime) {
-          const timeSinceRetry = Date.now() - lastRetryTime.getTime()
-          
-          // If we retried within last 5 minutes, SKIP (Drift propagation delay)
-          if (timeSinceRetry < this.COOLDOWN_MS) {
-            console.log(`   ⏸️ DATABASE COOLDOWN: Last DB retry ${(timeSinceRetry / 1000).toFixed(0)}s ago`)
-            console.log(`   ⏳ Drift propagation delay - skipping retry`)
-            
-            // Update in-memory map to match DB state
-            this.recentCloseAttempts.set(mismatch.symbol, lastRetryTime.getTime())
-            return
+        // Log detailed protection event
+        await this.logProtectedPosition({
+          tradeId: dbTrade.id,
+          symbol: dbTrade.symbol,
+          reason: verificationResult.reason,
+          details: verificationResult.details,
+        })
+        return
+      }
+
+      // STEP 5: All checks passed - proceed with close
+      console.log(`   ✅ VERIFIED OLD GHOST: Safe to close`)
+      console.log(`   📋 Evidence:`, verificationResult.details)
+      
+      const attemptTime = Date.now()
+      this.recentCloseAttempts.set(dbTrade.symbol, attemptTime)
+
+      const result = await closePosition({
+        symbol: dbTrade.symbol,
+        percentToClose: 100,
+        slippageTolerance: 0.05,
+      })
+
+      if (result.success) {
+        console.log(`   ✅ Orphan closed: ${result.transactionSignature}`)
+        console.log(`   💰 P&L: $${result.realizedPnL?.toFixed(2) || 0}`)
+        
+        // Record successful cleanup
+        await prisma.trade.update({
+          where: { id: dbTrade.id },
+          data: {
+            exitOrderTx: result.transactionSignature || 'ORPHAN_CLEANUP',
+            realizedPnL: result.realizedPnL || 0,
+            configSnapshot: {
+              ...dbTrade.configSnapshot as any,
+              orphanCleanup: true,
+              orphanCleanupTime: new Date(attemptTime).toISOString(),
+              verificationPassed: verificationResult.details,
+            }
+          }
+        })
+      } else {
+        console.error(`   ❌ Close failed: ${result.error}`)
+      }
+
+    } catch (error) {
+      console.error(`   ❌ Error in close verification:`, error)
+      this.recentCloseAttempts.set(mismatch.symbol, Date.now())
+    }
+  }
+
+  /**
+   * Check cooldown status for a symbol
+   */
+  private async checkCooldown(symbol: string): Promise<{ canProceed: boolean; reason?: string }> {
+    // Check in-memory cooldown first
+    const lastAttemptTime = this.recentCloseAttempts.get(symbol)
+    if (lastAttemptTime) {
+      const timeSinceAttempt = Date.now() - lastAttemptTime
+      if (timeSinceAttempt < this.COOLDOWN_MS) {
+        const remaining = Math.ceil((this.COOLDOWN_MS - timeSinceAttempt) / 1000)
+        return {
+          canProceed: false,
+          reason: `Cooldown active: ${remaining}s remaining (last attempt ${(timeSinceAttempt/1000).toFixed(0)}s ago)`
+        }
+      }
+    }
+
+    // Check database cooldown (survives restarts)
+    const prisma = getPrismaClient()
+    const recentAttempt = await prisma.trade.findFirst({
+      where: {
+        symbol,
+        configSnapshot: {
+          path: ['orphanCleanupTime'],
+          not: Prisma.JsonNull,
+        }
+      },
+      orderBy: { updatedAt: 'desc' },
+      select: { configSnapshot: true }
+    })
+
+    if (recentAttempt?.configSnapshot) {
+      const snapshot = recentAttempt.configSnapshot as any
+      const lastCleanup = snapshot.orphanCleanupTime ? new Date(snapshot.orphanCleanupTime) : null
+      if (lastCleanup) {
+        const timeSince = Date.now() - lastCleanup.getTime()
+        if (timeSince < this.COOLDOWN_MS) {
+          return {
+            canProceed: false,
+            reason: `Database cooldown: ${Math.ceil((this.COOLDOWN_MS - timeSince)/1000)}s remaining`
          }
        }
      }
+    }

-      console.log(`   🚀 Proceeding with close attempt...`)
-      
-      // Record attempt time BEFORE calling closePosition
-      const attemptTime = Date.now()
-      this.recentCloseAttempts.set(mismatch.symbol, attemptTime)
-      
-      // BUG #82 FIX (Dec 10, 2025): DISABLE automatic retry close
-      // Problem: Can't distinguish OLD position (should close) from NEW position at same symbol (should NOT touch)
-      // Result: Closes ACTIVE trades when trying to clean up old database records
-      // User incident: 6 old closed trades (150-1064 min ago) all showed "15.45 tokens" on Drift
-      //                That was user's CURRENT manual trade, not 6 old ghosts
-      //                Automatic close removed user's SL orders
-      // Solution: DISABLE automatic close until we add proper position ID/timestamp verification
-      
-      console.warn(`⚠️ BUG #82 SAFETY: Automatic retry close DISABLED`)
-      console.warn(`   Would have closed ${mismatch.symbol} with 15.45 tokens`)
-      console.warn(`   But can't verify if it's OLD position or NEW active trade`)
-      console.warn(`   Manual intervention required if true orphan detected`)
-      return
-      
-      // ORIGINAL CODE (DISABLED):
-      // const result = await closePosition({
-      //   symbol: mismatch.symbol,
-      //   percentToClose: 100,
-      //   slippageTolerance: 0.05 // 5% slippage tolerance for market order
-      // })
-      //
-      // if (result.success) {
-      //   console.log(`   ✅ Close transaction confirmed: ${result.transactionSignature}`)
-      //   console.log(`   P&L: $${result.realizedPnL?.toFixed(2) || 0}`)
-      //   console.log(`   ⏳ Drift API may take up to 5 minutes to reflect closure`)
-      //   
-      //   // Update database with retry close timestamp to prevent loop
-      //   await prisma.trade.update({
-      //     where: { id: mismatch.tradeId },
-      //     data: {
-      //       exitOrderTx: result.transactionSignature || 'RETRY_CLOSE',
-      //       realizedPnL: result.realizedPnL || 0,
-      //       configSnapshot: {
-      //         ...trade?.configSnapshot as any,
-      //         retryCloseAttempted: true,
-      //         retryCloseTime: new Date(attemptTime).toISOString(),
-      //       }
-      //     }
-      //   })
-      //   
-      //   console.log(`   📝 Cooldown recorded: ${mismatch.symbol} → ${new Date(attemptTime).toISOString()}`)
-      // } else {
-      //   console.error(`   ❌ Failed to close ${mismatch.symbol}: ${result.error}`)
-      //   // Keep cooldown even on failure to prevent spam
-      // }
+    return { canProceed: true }
+  }
+
+  /**
+   * CRITICAL: Verify if Drift position is an old ghost or new active trade
+   * 
+   * Uses multiple verification methods:
+   * 1. Time-based: Position age vs DB exit time
+   * 2. Size-based: Position size vs DB recorded size
+   * 3. Grace period: Wait 10+ minutes after DB exit
+   * 4. Direction check: Must match DB direction
+   * 
+   * FAIL-OPEN BIAS: When verification is uncertain, assume position is active
+   */
+  private async verifyPositionIdentity(params: {
+    dbTrade: any
+    driftPosition: any
+    mismatch: DriftStateMismatch
+  }): Promise<{
+    isOldGhost: boolean
+    reason: string
+    details: Record<string, any>
+  }> {
+    const { dbTrade, driftPosition, mismatch } = params
+
+    // Grace period check: Has enough time passed since DB exit?
+    const GRACE_PERIOD_MS = 10 * 60 * 1000 // 10 minutes
+    const timeSinceExit = Date.now() - new Date(dbTrade.exitTime).getTime()
+    
+    if (timeSinceExit < GRACE_PERIOD_MS) {
+      return {
+        isOldGhost: false,
+        reason: 'GRACE_PERIOD_ACTIVE',
+        details: {
+          timeSinceExitMin: (timeSinceExit / 60000).toFixed(1),
+          gracePeriodMin: 10,
+          message: 'Too soon after exit - may still be propagating'
+        }
+      }
+    }
+
+    // Direction check: Must match
+    const driftDirection = driftPosition.side // 'long' | 'short' | 'none'
+    if (driftDirection !== dbTrade.direction) {
+      return {
+        isOldGhost: false,
+        reason: 'DIRECTION_MISMATCH',
+        details: {
+          dbDirection: dbTrade.direction,
+          driftDirection,
+          message: 'Different direction = definitely different position'
+        }
+      }
+    }
+
+    // Size check: Must be within 15% tolerance
+    // (Allows for partial fills, funding rate impacts, etc.)
+    const dbSizeTokens = dbTrade.positionSizeUSD / dbTrade.entryPrice
+    const driftSizeTokens = driftPosition.size
+    const sizeRatio = Math.abs(driftSizeTokens) / Math.abs(dbSizeTokens)
+    
+    if (sizeRatio < 0.85 || sizeRatio > 1.15) {
+      return {
+        isOldGhost: false,
+        reason: 'SIZE_MISMATCH',
+        details: {
+          dbSizeTokens: dbSizeTokens.toFixed(2),
+          driftSizeTokens: driftSizeTokens.toFixed(2),
+          sizeRatio: sizeRatio.toFixed(3),
+          tolerance: '0.85-1.15',
+          message: 'Size difference too large = likely different position'
+        }
+      }
+    }
+
+    // Position age estimation (best effort - no direct timestamp from SDK)
+    // We use entry price comparison as a proxy:
+    // - If Drift entry price significantly different from DB → likely new position
+    const priceDiffPercent = Math.abs(driftPosition.entryPrice - dbTrade.entryPrice) / dbTrade.entryPrice * 100
+    
+    if (priceDiffPercent > 2.0) {
+      return {
+        isOldGhost: false,
+        reason: 'ENTRY_PRICE_MISMATCH',
+        details: {
+          dbEntryPrice: dbTrade.entryPrice.toFixed(2),
+          driftEntryPrice: driftPosition.entryPrice.toFixed(2),
+          diffPercent: priceDiffPercent.toFixed(2),
+          message: 'Entry price difference >2% suggests different position'
+        }
+      }
+    }
+
+    // Check if there are any newer trades on this symbol in DB
+    const prisma = getPrismaClient()
+    const newerTrades = await prisma.trade.findMany({
+      where: {
+        symbol: dbTrade.symbol,
+        exitReason: null, // Open trades
+        createdAt: { gt: new Date(dbTrade.exitTime) }
+      },
+      select: { id: true, createdAt: true }
+    })
+
+    if (newerTrades.length > 0) {
+      return {
+        isOldGhost: false,
+        reason: 'NEWER_TRADE_EXISTS',
+        details: {
+          newerTradeCount: newerTrades.length,
+          newerTradeIds: newerTrades.map(t => t.id),
+          message: 'DB shows newer open position on this symbol - Drift position likely belongs to it'
+        }
+      }
+    }
+
+    // ALL CHECKS PASSED - This appears to be an old ghost
+    return {
+      isOldGhost: true,
+      reason: 'VERIFIED_OLD_GHOST',
+      details: {
+        timeSinceExitMin: (timeSinceExit / 60000).toFixed(1),
+        directionMatch: true,
+        sizeRatio: sizeRatio.toFixed(3),
+        entryPriceDiff: priceDiffPercent.toFixed(2) + '%',
+        noNewerTrades: true,
+        message: 'All verification checks passed - safe to close'
+      }
+    }
+  }
+
+  /**
+   * Log when we protect a position from accidental closure
+   */
+  private async logProtectedPosition(params: {
+    tradeId: string
+    symbol: string
+    reason: string
+    details: Record<string, any>
+  }): Promise<void> {
+    try {
+      const prisma = getPrismaClient()
+      await prisma.trade.update({
+        where: { id: params.tradeId },
+        data: {
+          configSnapshot: {
+            path: ['protectionEvents'],
+            arrayAppend: {
+              timestamp: new Date().toISOString(),
+              reason: params.reason,
+              details: params.details,
+              message: 'Position protected from accidental closure by Bug #82 fix'
+            }
+          }
+        }
+      }).catch(() => {
+        // Ignore errors updating protection log - not critical
+      })
    } catch (error) {
-      console.error(`   ❌ Error retrying close for ${mismatch.symbol}:`, error)
-      // On error, still record attempt time to prevent rapid retries
-      this.recentCloseAttempts.set(mismatch.symbol, Date.now())
+      // Silent failure - protection logging is supplementary
    }
  }