Add auth and LLM key management

.env.example

@@ -21,10 +21,23 @@ REDIS_URL=redis://localhost:6379/0
 REDIS_MAX_CONNECTIONS=10
 
 # ===================
-# Security
+# Authentication
 # ===================
-# Network-based security: API is only accessible from internal Docker network
-# No API keys required - all external requests are rejected at network level
+# AUTH_MODE: none (dev), psk (Docker Compose), jwt (portable/production)
+AUTH_MODE=none
+
+# PSK Mode: Pre-shared key tokens (one per scope)
+# Each token grants access to specific API operations
+# AUTH_TOKEN_SUBMIT=your-submit-token-here    # Scope: lens:submit
+# AUTH_TOKEN_READ=your-read-token-here        # Scope: lens:read
+# AUTH_TOKEN_ADMIN=your-admin-token-here      # Scope: lens:admin (includes all)
+
+# JWT Mode: Validate JWT tokens with external identity provider
+# AUTH_JWT_PUBLIC_KEY=-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----
+# AUTH_JWT_JWKS_URL=https://your-idp.com/.well-known/jwks.json
+# AUTH_JWT_ISSUER=https://your-idp.com
+# AUTH_JWT_AUDIENCE=lens-api
+# AUTH_JWT_SCOPE_CLAIM=scope
 
 # ===================
 # Rate Limiting
@@ -71,47 +84,10 @@ HYPERLIQUID_WS_URL=wss://api.hyperliquid.xyz/ws
 # ===================
 # AI Models
 # ===================
-# Comma-separated list of enabled models (chatgpt, gemini, claude, deepseek)
-AI_MODELS=chatgpt,gemini,claude,deepseek
-
-# REQUIRED: Must explicitly choose AI mode - no default to prevent accidents
 # Set to true for production to use real AI models
 # Set to false for development/testing (returns deterministic stub decisions)
-# Application will fail to start if not explicitly set
 USE_REAL_AI=false
 
-# ChatGPT Configuration
-MODEL_CHATGPT_PROVIDER=openai
-MODEL_CHATGPT_API_KEY=
-MODEL_CHATGPT_MODEL_ID=gpt-4o
-MODEL_CHATGPT_TIMEOUT_MS=30000
-MODEL_CHATGPT_MAX_TOKENS=1000
-MODEL_CHATGPT_PROMPT_PATH=prompts/chatgpt_wrapper_v1.md
-
-# Gemini Configuration
-MODEL_GEMINI_PROVIDER=google
-MODEL_GEMINI_API_KEY=
-MODEL_GEMINI_MODEL_ID=gemini-1.5-pro
-MODEL_GEMINI_TIMEOUT_MS=30000
-MODEL_GEMINI_MAX_TOKENS=1000
-MODEL_GEMINI_PROMPT_PATH=prompts/gemini_wrapper_v1.md
-
-# Claude Configuration
-MODEL_CLAUDE_PROVIDER=anthropic
-MODEL_CLAUDE_API_KEY=
-MODEL_CLAUDE_MODEL_ID=claude-sonnet-4-20250514
-MODEL_CLAUDE_TIMEOUT_MS=30000
-MODEL_CLAUDE_MAX_TOKENS=1000
-MODEL_CLAUDE_PROMPT_PATH=prompts/claude_wrapper_v1.md
-
-# DeepSeek Configuration
-MODEL_DEEPSEEK_PROVIDER=deepseek
-MODEL_DEEPSEEK_API_KEY=
-MODEL_DEEPSEEK_MODEL_ID=deepseek-chat
-MODEL_DEEPSEEK_TIMEOUT_MS=30000
-MODEL_DEEPSEEK_MAX_TOKENS=1000
-MODEL_DEEPSEEK_PROMPT_PATH=prompts/deepseek_wrapper_v1.md
-
 # ===================
 # WebSocket
 # ===================

README.md

@@ -18,22 +18,65 @@ SigmaPilot Lens analyzes trading signals in real-time using multiple AI models a
 - **Multi-Model AI Consensus** — Get perspectives from 4 different AI providers simultaneously
 - **Real-Time Enrichment** — Live market data from Hyperliquid with TA indicators
 - **Signal Validation** — Automatic rejection of stale or price-drifted signals
+- **Runtime Configuration** — Manage LLM API keys and AI prompts via API without restarts
 - **Production Ready** — Load tested, observable, with comprehensive failure handling
 
 ## Quick Start
 
 ```bash
 # Setup
 cp .env.example .env
-# Add your AI API keys to .env
+# Edit .env: set AUTH_MODE and configure tokens
 
 # Run
 make build && make up && make migrate
 
+# Configure AI models via API (requires admin token)
+curl -X PUT http://localhost:8000/api/v1/llm-configs/chatgpt \
+  -H "Authorization: Bearer <your-admin-token>" \
+  -H "Content-Type: application/json" \
+  -d '{"api_key": "sk-...", "enabled": true}'
+
 # Verify
 make health
 ```
 
+## Authentication
+
+SigmaPilot Lens supports 3 authentication modes:
+
+| Mode | Use Case | Configuration |
+|------|----------|---------------|
+| `none` | Development | No auth required |
+| `psk` | Docker Compose | Pre-shared key tokens |
+| `jwt` | Production | External identity provider |
+
+### Scopes
+
+| Scope | Access |
+|-------|--------|
+| `lens:submit` | Submit signals |
+| `lens:read` | Read events, decisions, DLQ |
+| `lens:admin` | Admin operations (LLM configs, prompts, DLQ retry) + all above |
+
+### PSK Mode Example
+
+```bash
+# .env
+AUTH_MODE=psk
+AUTH_TOKEN_SUBMIT=<generate-with-secrets.token_urlsafe(32)>
+AUTH_TOKEN_READ=<generate-with-secrets.token_urlsafe(32)>
+AUTH_TOKEN_ADMIN=<generate-with-secrets.token_urlsafe(32)>
+
+# Usage
+curl -X POST http://localhost:8000/api/v1/signals \
+  -H "Authorization: Bearer <submit-token>" \
+  -H "Content-Type: application/json" \
+  -d '{"symbol": "BTC-PERP", ...}'
+```
+
+See [Configuration Guide](docs/configuration.md#authentication) for full details.
+
 ## Documentation
 
 | Guide | Description |

config/feature_profiles.yaml

@@ -1,5 +1,16 @@
 # Feature Profile Configuration
 # Defines what market data and technical indicators to compute for each profile
+#
+# Available indicators:
+#   - ema: Exponential Moving Average (periods: list of integers)
+#   - sma: Simple Moving Average (periods: list of integers)
+#   - macd: Moving Average Convergence Divergence (fast, slow, signal)
+#   - rsi: Relative Strength Index (period)
+#   - atr: Average True Range (period)
+#   - bollinger: Bollinger Bands (period, std_dev) - includes BBW and rating
+#   - adx: Average Directional Index (period) - trend strength
+#   - stochastic: Stochastic Oscillator (k_period, d_period)
+#   - volume: Volume metrics (includes current volume and SMA20)
 
 trend_follow_v1:
   description: "Minimal trend-following indicators"
@@ -11,6 +22,9 @@ trend_follow_v1:
     - name: ema
       params:
         periods: [9, 21, 50]
+    - name: sma
+      params:
+        periods: [20]
     - name: macd
       params:
         fast: 12
@@ -22,6 +36,18 @@ trend_follow_v1:
     - name: atr
       params:
         period: 14
+    - name: bollinger
+      params:
+        period: 20
+        std_dev: 2.0
+    - name: adx
+      params:
+        period: 14
+    - name: stochastic
+      params:
+        k_period: 14
+        d_period: 3
+    - name: volume
   market_data:
     - mid_price
     - spread_bps

docker-compose.yml

@@ -16,6 +16,16 @@ services:
       - LOG_FORMAT=json
       - RATE_LIMIT_PER_MIN=${RATE_LIMIT_PER_MIN:-60}
       - RATE_LIMIT_BURST=${RATE_LIMIT_BURST:-120}
+      # Authentication
+      - AUTH_MODE=${AUTH_MODE:-none}
+      - AUTH_TOKEN_SUBMIT=${AUTH_TOKEN_SUBMIT:-}
+      - AUTH_TOKEN_READ=${AUTH_TOKEN_READ:-}
+      - AUTH_TOKEN_ADMIN=${AUTH_TOKEN_ADMIN:-}
+      - AUTH_JWT_PUBLIC_KEY=${AUTH_JWT_PUBLIC_KEY:-}
+      - AUTH_JWT_JWKS_URL=${AUTH_JWT_JWKS_URL:-}
+      - AUTH_JWT_ISSUER=${AUTH_JWT_ISSUER:-}
+      - AUTH_JWT_AUDIENCE=${AUTH_JWT_AUDIENCE:-}
+      - AUTH_JWT_SCOPE_CLAIM=${AUTH_JWT_SCOPE_CLAIM:-scope}
     depends_on:
       redis:
         condition: service_healthy