From 1eddb9173e0e6b3ff6bf4b9daf00616c315a7ac8 Mon Sep 17 00:00:00 2001
From: Henry Winkel <Henry-Winkel@web.de>
Date: Sat, 16 May 2026 22:20:29 +0200
Subject: [PATCH] fix: update admin token check logic and improve comments for
 clarity feat: add condition to only delete manually added stocks from DB
 docs: clarify stock notes saving method and Alpaca mode indicator fetching
 chore: update binary database file

---
 app/lib/auth.server.ts                        |   6 ++++--
 app/routes/analyze.tsx                        |   1 +
 .../2026-05-16-settings-page-redesign.md      |   4 ++--
 playwright-report/index.html                  |   2 +-
 prisma/dev.db                                 | Bin 40960 -> 40960 bytes
 5 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/lib/auth.server.ts b/app/lib/auth.server.ts
index 418f890..e1e7066 100644
--- a/app/lib/auth.server.ts
+++ b/app/lib/auth.server.ts
@@ -1,6 +1,8 @@
 export async function requireAdmin(request: Request) {
-  // Simple fallback: check x-admin-token header vs ADMIN_TOKEN
+  // If ADMIN_TOKEN is not set, allow access (dev mode)
+  if (!process.env.ADMIN_TOKEN) return;
+  // Otherwise check the x-admin-token header
   const token = request.headers.get('x-admin-token');
-  if (process.env.ADMIN_TOKEN && token === process.env.ADMIN_TOKEN) return;
+  if (token === process.env.ADMIN_TOKEN) return;
   throw new Response('Unauthorized', { status: 401 });
 }
diff --git a/app/routes/analyze.tsx b/app/routes/analyze.tsx
index 3492c16..3b1dbe2 100644
--- a/app/routes/analyze.tsx
+++ b/app/routes/analyze.tsx
@@ -354,6 +354,7 @@ export default function Analyze() {
     const stock = stocks.find((s) => s.id === id);
     if (!stock) return;
 
+    // Only delete from DB if it was manually added (db- prefix), not Alpaca positions
     if (id.startsWith("db-")) {
       try {
         const formData = new FormData();
diff --git a/docs/superpowers/specs/2026-05-16-settings-page-redesign.md b/docs/superpowers/specs/2026-05-16-settings-page-redesign.md
index f6e3b80..b56110b 100644
--- a/docs/superpowers/specs/2026-05-16-settings-page-redesign.md
+++ b/docs/superpowers/specs/2026-05-16-settings-page-redesign.md
@@ -18,7 +18,7 @@ Replace the current bare-bones settings page (a flat list of JSON textareas) wit
   - `trading.stopLossPercent` - number
   - `trading.riskMethod` - string ("fixed" | "percentage" | "atr")
 - **Saves** via `PUT /api/admin/settings/:key` with optimistic UI update
-- **Stock notes** saved via `POST /api/stocks` with ticker + notes
+- **Stock notes** saved via `POST /api/stocks` with FormData: `{ ticker, notes }`
 - **Loading state** shown while initial fetch completes
 
 ### Layout
@@ -48,7 +48,7 @@ Replace the current bare-bones settings page (a flat list of JSON textareas) wit
 - Pagination if >20 stocks
 
 ### System
-- Alpaca mode indicator (paper/live) - read-only, derived from env
+- Alpaca mode indicator (paper/live) - read-only, fetched from `/api/alpaca/account` or derived from `ALPACA_BASE_URL` env var
 - Admin token management
 - Fallback JSON textarea for any raw `AppSetting` keys not covered above
 
diff --git a/playwright-report/index.html b/playwright-report/index.html
index 0a0ddc4..88098d3 100644
--- a/playwright-report/index.html
+++ b/playwright-report/index.html
@@ -87,4 +87,4 @@ Error generating stack: `+l.message+`
     <div id='root'></div>
   </body>
 </html>
-<template id="playwrightReportBase64">data:application/zip;base64,UEsDBBQAAAgIACp6sFyJhsd9+wAAAHEBAAALAAAAcmVwb3J0Lmpzb25VkEFPwzAMhf+K5XPUbXSlLPdducAN7WBabw1Nk8hxYNO0/466AhI+fe/Zsp7eFSdW6kkJ7fVmMCuJvrqJ0W7a9mlXt9vtpnmsDfZFSF0MaB/WVbOrd39TtwaPznNG+3YwmCR+cKfPNP06WUkz2itqVPJo1wb5nLhT7u+ihH/y6Gm83CmPLqUfN45oVQrfDLJIlPk37meyMKgmu1r52JEfYlbbbNoaXAbywtRfoGTuDUw0MuQiDDqQQog6uHCa76SEMGMMoANDiqKrIh6iQGYF4ZJ5f3ZZXTi9sHyy3LOAC9DFcHSn6ovfl0WFB4MxzVXlpdOJusGFpYzbN1BLAQI/AxQAAAgIACp6sFyJhsd9+wAAAHEBAAALAAAAAAAAAAAAAAC0gQAAAAByZXBvcnQuanNvblBLBQYAAAAAAQABADkAAAAkAQAAAAA=</template>
\ No newline at end of file
+<template id="playwrightReportBase64">data:application/zip;base64,UEsDBBQAAAgIAG2lsFx0vWcO0wUAAI0wAAAZAAAANTI2MTczNzcxOGJiYjExMzQ5OTcuanNvbu1aW3OjNhT+Kxo9eWcIQReunT50s2m7MzvtziZ96SbtyCDHbAB5QUyyk+a/d8AkBoFtwE7ivfjJGOlI+s53jo4++Q7Owoi/DaAHTWwhm9g2cqbTKUKEuq4NtfL9Hyzm0IOZFP71UTDVswX3dZlBDUqeyQx6H+/Kb2vtHM1mDg7olAUO5YzPDNOnqOgeyqi0PBd5FAAWBIAlAYjCTIJytGKMRSo+cV9Wk4AajITPZCgS6N2V0+ueWhQmHHpUg76I8jiBHrnXYJCnVVdCqKFBliRClr8Uq7jUoGRX1TeRS1+UQ/LbBfclD4q5MDmH3kd4VowH3jDJpizj8FKDKc/yqMJCHSWTLJXnYWkMG9g6MswjZJ0jx6PEQ67umtbfsDAh0y/QKzvwRQVrhdBrPhMpB78LUWKy1aJTWlxNBCEbd9n9NbyVecrBBZym4ibj6QXcZh4bumE4TfOm3TnrdyxP/DmoTPcxjIhi2DJXhi81yKRk/jzmiax+8EWeSOghDWbX4WLBA+jNWJTx+0GNtS5EfJFIfit7IWI6qDlxQrsAOUk5kxxUlnvZpU272HkxPBbsivcCw0Km4kVKNqBR2O1lVSUdNZ4Di7HAvf/z7BxcwGO2CI+XyawHeEhHlupxy9gSA0MSor1KiBTfr1+JBrOkeJbQg+AiNww0/egaMQAW+K96JG4Mis9F0mhgtxtUj1bsiySTtbd+yYAPPHtsQ+Kfa+9XPdkNC+s9SzI+9tFXb1L+OeerQRrvFiKTk4dHHCvOWbVbddZqQ94pCwWNhT58RQ+90XLxfT7/VF0wjluTMGJlWKeFLwABk2w1aa8TwYTfdPxO4r8+vDvjLPXn71nK4mzVZnIHZOhf87Tbcp6En3N+XrYA9686AZfiTKZhcjV51QkprMfLabnNggsoxWt+nuZy/qVHwBDdtpVsg/YXLQitwgU7I8IFGS1v1aH6qebuhpcRavVbliGTx5DpBFxcT16tc8UDqpM+E9iJ3UP4jHBrpQ1a/HY6PIsS3XaMJiksa4+sILUkaoxhRXvNCihkQBItyuVnS6Erc1e8ZqxPVn1y2o2mIB2A9nJdg8GunNSJ6adMJGuCcl2GPBGJZGFy+jlnUa+AcKj7dFnSrGXJUfFwuA5QmGKuS8vLWa1LvXV3TZY9utP3tDjqVq2LfXPQFvxkATYomNoFIty5LCa6YyonQ7LlIDSIwE6NwHQMgdcWva4RHx+Dk4izJF94IOARlxzIOQeFYqJ4t0W3dq33TVbEg/jlHmD92w3PvzGXcxFsnlgB+pvTd6fnp3W891FQ/zKTPO0nGRUB5mLleN0p6QyWAwrLyol27LF9R5WmmIlyVMBmpy4Riay/SEN011ByE7IPTpi41CBPU5FW7TLJZJ5BDy5YlpXSZksKbdm+Eek1T98mAb+FnlFYFNfQk2m+9MxGAdgxCKNkGlju1J9OseUyjNsCcJUdy/QDZqmIy8AuJdYddWC8Vgh2nkMHdrbKwAWNKNmnDFxYtBViUneLCtw/mmhbrMXWHjTPwq6qgNFD1zypbhClvqYb0eileVLdoFi1ig8utexa3FGdWrZ6XbHH4zq2d6zu8DbNE2/SPL/TOg1/qzrlGEGK6qajqpTbstoQihNc297G6JSkoTc2PUk61KpHb0X8hxS1NyGKbJL9mkh/lTIU1W2EB50FBgUB3VGGOlj4FZa01bIfIpQCUUOn211/KoirFKV0n+nbqqVvdwxzzQ3pu6N6eSSoKq4GPPq+b2MHsaxd9r18idON1gtLUePudqluW8aTbRfFkfxxuzDHBF1biex1t0vbd8JV/l5GX3dSfvmL3SGhQdHaBDyufrYtVZ7corENokK9fB5zQqQbymfaLp9/lMnjidWu0Q6hFE6EBCPKYQc/XTlM6Y6yx4tDrXh+VNmbiO6o+OrL4cGBo15dr9mrRl8hdbCZunu5Qiosk4O4Qipm0vp75u5XSFR3iPL/YeQenM77tFdIl/f/A1BLAwQUAAAICABtpbBcxDhFDq4BAABHBAAACwAAAHJlcG9ydC5qc29uzZE/b9wwDMW/isFZd7D835q7ZOnSAAUa3EBLdM892TIkGk1x8Hcv5PMhAZqgQztkIwXyvcefrjASo0FGUFdAzQvar85fyAdQchUQGD0/DiOBknXdtGXVtkXTpALM4pEHN4GSUsrqWAroB0sB1NN1qx4MKCizStZ5Xcum6zop86Jta7hNfsaoCoGdvhxMdwwz6SMHEMAU+KYTq3d1Dn3fZKbo0DQFIfVpqQsZ1we2m/LZLdYkaEyCk0nsEDjZ3KLH7N0P0ryHAAHW6f2eW/y3o9lhIlCFAO3sMk6g8vU1ijwvUgE4TY63l3jFSQDj971yC2u3WdLzTJrJxCzIZ1BP8CX6JZ+QscNAEMcvoNgvJMBTWOxOBZlRn0eaeFd99UuQpVl1SMuDrB5lo4pcyfbYltU3EPBz+9mHydAzqHQ9reJvhJs0xyLvTNV2uuuyqsUs+5OwIUtMN7ZJ792YmPsN/wg6e5d08/FAZ/mxLfI3Qd9Wo8oV2DFaUJl4SRabZXppUwG9xcuvrQqXYZ7313vMNSq+IhvjAfx3FwHkvfN3pPNO+roKGFGfh2kzPq2/AVBLAQI/AxQAAAgIAG2lsFx0vWcO0wUAAI0wAAAZAAAAAAAAAAAAAAC0gQAAAAA1MjYxNzM3NzE4YmJiMTEzNDk5Ny5qc29uUEsBAj8DFAAACAgAbaWwXMQ4RQ6uAQAARwQAAAsAAAAAAAAAAAAAALSBCgYAAHJlcG9ydC5qc29uUEsFBgAAAAACAAIAgAAAAOEHAAAAAA==</template>
\ No newline at end of file
diff --git a/prisma/dev.db b/prisma/dev.db
index fce1f88528c0942713be8b11ac336a77472a23ed..eb13a26dc8eb2995d5182b62d21c369d81022ddb 100644
GIT binary patch
delta 1282
zcma)6O>7%Q6yD8dV-%W<qADOtA;U@)DcFwJYkPNtXbNgX52+H>K_G!h$Lp~@WOrw~
zGwa|+!2t<Ddn&jGPE<Wbf>Y!Jst{5y?SVtZjeAhxf+`_#pb`h(t`j%_5_8zq%=f<c
zzW2?~?wzsSJ7d>RjHxr9o_rO)`<HGlpvm79Eq9<iZsrcqZFGD8gRgSKZ){gvnfgO{
zd1+SBEqyZm=?V-lh#cWnL@6Ebc0-F%CYWeld2Q|Wy81;q;HA;`qx0&qjCK5D_rtfW
z!4FHPta3#4M$+3hNWha&8jDUTZ%DF9*J9pcFt^NV-Vl;UD_jU;vFzA`w_iHjZxLV6
zyb*FqVbxggP|Rc2W+Cx$8jXDj$Ma>^JdK&al5;FsyCZQ-eIi+x!V;Fiim69KiKCc#
z6nA+F`b_rl{QG4KN1TOHoG#*5@D^**c$AvNyq|<k3|jE~!PQSpt5`k?#SJPY1QO5V
zLBN{?^x=@l0qAP^i6;{%z(awzI?Sh#kNH0KS->O<+c;)ovxqO!X5yvORA0meU_8Wv
zUCBf{C7gtPCIt?_CTI<UWK5bA2Rx?OgXA>sW<3^h>PzY-^q1O+3CK>105>FU8f2~0
zIJE$#U`9Y#h)D$D;0TB>8aq368FNt6f}Tmr0PFjC+@ZvmogVgx=s;_HE1zW_=>>lU
zM6#>^IMHAs1q)>d6Oh@YLSjk1PRKm)C5Z%>n?JOqOZ<^XhiU{S68iJ9O*`7Xe7b$@
zm~TNw&?+M8Nl`Ry+i`2<np3ITR>7<|m71cc-+p$c@N`+fx0}J$YRz>Wvs$pKFaS=5
z=g(YL-&p?pM4SKfL|^{;uwcctoSIXpShd<DTnG*ADd<OZ7ww_F;mleO4X&;}YdoVZ
zssEW+Ptn1z_EUp{)j5>qc%Y)+(F61leGfUlM3q@>L0w<2uaCO0OC{5+I{IVUtXf}v
zvpx=-W9ODvGBjOGFP}bmxbeiaj;<-_KKcm_(KYn>aOUiL=-iYxr}}<SO!vZ{IH9>J
zoKv~6NqZYdF4<Pqt?DU6BDRsiM^MeOEB5&CJ~#34i7BY8Pd`%7cjyLs2c4RJG<**K
zJl%g`BB#u~sOV4rRfk73jClgrW1$sO3Xj5tTfdNIz(QNkDQ-d0Xa8Nrwn0PE@M+Un
zlyO3LfT>^7(%8y45T6I)KQx}qL~a``&f$G%kl4s*?tV%e+_<@*>F)Kxy_<`F0;%Pc
A_W%F@

delta 954
zcmY+CO>7fK6vx+gqR<F4LXcK`rB4<?L2}Hlz0Mkt5<v6|kP?v|dZ}Qt`)rR`&u(XC
zV+?|%QiX^(0Nvc9o_gqs`bIe*1Q!k=SFT3lh*Y(QR^q^02UY52R{K8w|KEEvYftlQ
zPxB8B=B<Ap9zI9sqpQE1V0+G6g|UG({`c6R_`dl5(T~54_5bir7WUj3&F!9_utrDs
z{dD{ert_zdxz7FPQ_D&3W{G#AM4Hkm$F|EQ!>{3@ikgA~wK@f~iQ-F<)}>R`Mm@dI
z_<nWz_ED!^sn(7ImjRf_@DP;H*I@dnQ?3u=p=e3y3eyG-)hX!k>kyI#v=R|uC?rBN
zQj{~jSoqY=eLrIWEpA|WN4AY{`7%u3u2slL=&S@|!<WNVtdwruT0&_=hmI_#jf!L|
z?7?yphC;Vt+G|XKAIT=!NgqFwl4PuekI?2CmJuZwg)$Jb1xeiHDu4iWEDVCg#3<rw
zCNkie3lE7Pn-=}mwj44G>h!sZl&-+HB%Q>X+<-zn>}jJ1Ya1HX3i;98D(aec8P0w)
zSbG>Ku|nQ$G9=TF^J@A<N-B&K<r5%6Aha*yY+EE1t7s*Y=dkKWofv6O!j@bqZb)vp
z&z<3T94qt%g(F#pZd-&1hWLW0D~E*HUC}fOA>^usw6+eHyoIz|tiV@8xU8Wgu4C}O
z70}gye~~97ozMo8-p(Bd*d)kc=MjXWBa9y27=c8@#0^#)&ug4?y@qYO_1T%(>a1J;
za%6n|=ee0f&d9yLhUr?P;Z|+Wp7Gq8Q@5<#lm6FpKjbE}R(e*RYu71PoAtbcWm#_a
zn(3RKIX$)Ce*F8{arUcKVCxop!(Om;w%*^n*kkGX!sG~5O{R-;2Sy7=3iG-2PwzlF
zSooZ=*HpiqWB;&sY@2QO_r`seKE6_%+*O#!EiHVvlr>JA|KierbdGB~h4kH(Pj}_n
zmc_Q%TWWg7`dg6$#e9*<^K8RnFWCl}-(~5>=7~>6Ud0BradYX_&Ck*|n@2tXOr|}I