Must fix before mainnet - 09-user-security-documentation

[konard]

Summary

Closes #314

This PR implements all acceptance criteria from Issue #314 — user-facing security documentation and safe defaults before mainnet launch.

Documentation (3 new files)

• docs/user-security-guide.md — Comprehensive step-by-step guide covering:

  • Simulation vs. Live Trading comparison table
  • 6-step pre-launch checklist (2FA, wallet verification, risk limits, etc.)
  • Risk disclosures summary
  • How platform data is collected and protected
  • Safe configuration recommendations
  • Ongoing monitoring guidance
  • Emergency procedures (how to stop an agent, account compromise response)

• docs/mainnet-readiness-checklist.md — 7-section checklist users must complete before enabling live trading:

  • Account security (Telegram 2FA, session review)
  • Wallet readiness (dedicated wallet, backup, test transaction)
  • Platform understanding (simulation mode, risk disclosures)
  • Simulation review (minimum 7-day run, trade history review)
  • Risk configuration (conservative initial settings)
  • Monitoring setup (notifications, daily check-in plan)
  • Final acknowledgment (explicit confirmation of all risks)

• docs/risk-disclosures.md — Legal risk disclosures covering:

  • No guarantee of profit
  • Risk of total loss
  • Cryptocurrency market risks (volatility, liquidity, manipulation)
  • Smart contract risk
  • Platform and technology risks
  • Authentication and account security risk
  • Regulatory risk (unregulated, no investor protection)
  • Limitation of liability

UI Changes (Telegram Mini App)

Simulation mode banner (index.html, styles.css):

• Prominent ⚠️ SIMULATION MODE — No real funds at risk banner at the top of the portfolio dashboard
• Banner updates to LIVE TRADING — Real funds in use when live mode is active
• One-tap "Switch to Live" / "Back to Simulation" button

Live trading confirmation modal (index.html, components/security.js, styles.css):

• Triggered when user taps "Switch to Live"
• Displays irreversibility warning
• Requires user to tick all 3 acknowledgment checkboxes before the confirm button becomes active:
  • I understand I may lose money, including my entire investment
  • I have verified my wallet address is correct
  • I have set appropriate risk limits and reviewed the security guide
• "Enable Live Trading" button is disabled until all boxes are checked

Risk warnings in onboarding (components/onboarding.js, styles.css):

• Added risk warning box to the agent creation confirm step listing 3 key risks
• Relabeled CTA button from "Start Agent" to "Start Agent in Simulation" to make the default mode clear
• Added note explaining simulation mode and link to security guide

New security component (components/security.js):

• Manages simulation/live trading state in localStorage
• Wires up all banner and modal interactions
• Dispatches tonai:live_trading_enabled and tonai:simulation_mode_enabled events for other components to react to mode changes

Test plan

• Open the Mini App — simulation mode banner is visible at the top of the portfolio page
• Tap "Switch to Live" — live trading modal opens with 3 unchecked boxes and a disabled confirm button
• Check all 3 boxes — confirm button becomes enabled
• Click "Enable Live Trading" — banner updates to show LIVE TRADING mode
• Tap "Back to Simulation" — confirmation dialog appears, accepting returns to simulation banner
• Complete onboarding as a new user — risk warning box is shown on the confirm step
• Verify the CTA reads "Start Agent in Simulation"
• Read docs/user-security-guide.md, docs/mainnet-readiness-checklist.md, docs/risk-disclosures.md

🤖 Generated with Claude Code

[konard]

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

• Public pricing estimate: $1.399084
• Calculated by Anthropic: $1.399084 USD
• Difference: $0.000000 (0.00%)

📊 Context and tokens usage:

• Context window: 79.2K / 1M (8%) input tokens, 18.7K / 64K (29%) output tokens

Total: (81.1K + 2.7M cached) input tokens, 18.7K output tokens, $1.399084 cost

🤖 Models used:

• Tool: Anthropic Claude Code
• Requested: sonnet
• Model: Claude Sonnet 4.6 (claude-sonnet-4-6)

📎 Log file uploaded as Gist (1309KB)

• View complete solution draft log

---

Now working session is ended, feel free to review and add any feedback on the solution draft.

[konard]

✅ Ready to merge

This pull request is now ready to be merged:

• All CI checks have passed
• No merge conflicts
• No pending changes

---

Monitored by hive-mind with --auto-restart-until-mergeable flag