[RISK] R4 — No kill-switch / emergency stop mechanism

[cluster2600]

Summary

No kill-switch or circuit breaker exists. If the bot starts losing money rapidly (flash crash, runaway strategy, bug), there is no automatic or manual way to halt trading without killing the process.

Risk

CRITICAL — In live trading, a runaway bot can lose entire account balance before a human can react.

Required Kill-Switch Behaviors

1. Manual: API endpoint POST /emergency-stop halts all trading immediately
2. Automatic: Circuit breaker triggers on:
   • Daily loss > X% of capital
   • Consecutive losses > N trades
   • Drawdown > Y% from peak
   • Unusual order volume (possible runaway loop)
3. Telegram alert: Notify on kill-switch activation

Implementation

class KillSwitch:
    def __init__(self):
        self._active = False
        self._reason = None
    
    def trigger(self, reason: str):
        self._active = True
        self._reason = reason
        logger.critical(f'KILL SWITCH ACTIVATED: {reason}')
        telegram_notifier.send(f'🚨 ELVIS STOPPED: {reason}')
        # Cancel all open orders
        binance_executor.cancel_all_orders()
    
    def is_active(self) -> bool:
        return self._active

# In trading loop:
if kill_switch.is_active():
    break
if daily_loss > MAX_DAILY_LOSS:
    kill_switch.trigger(f'Daily loss limit hit: {daily_loss}')

Sprint

Sprint 2 — Story 2.2 (Kill-Switch + Circuit Breaker)

Found by PM agent audit — Feb 17, 2026

[cluster2600]

Fixed in sprint2/reliability-risk (9ff9dda) — Redis persistence for kill-switch survives process restarts. PaperTradingEngine (sprint3/paper-trading) also uses this Redis-backed kill-switch.