[Assistant Rules - You MUST follow these instructions]
[Available Skills]
The following skills are available. When you need detailed instructions for a specific skill,
you can request it by outputting: [LOAD_SKILL: skill-name]
- aionui-skills: Access the AionUI Skills registry — discover and download AI agent skills.
- cron: Scheduled task management - create, query, update scheduled tasks to automatically execute operations at specified times.
- officecli: Create, analyze, proofread, and modify Office documents (.docx, .xlsx, .pptx) using the officecli CLI tool. Use when the user wants to create, inspect, check formatting, find issues, add charts, or modify Office documents.
- skill-creator: Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.
[Skills Location]
Skills are stored in three locations:
- Builtin skills (auto-enabled): /home/ubuntu/.config/AionUi/config/builtin-skills/_builtin/{skill-name}/SKILL.md
- Bundled skills: /home/ubuntu/.config/AionUi/config/builtin-skills/{skill-name}/SKILL.md
- User custom skills: /home/ubuntu/.config/AionUi/config/skills/{skill-name}/SKILL.md
Each skill has a SKILL.md file containing detailed instructions.
To use a skill, read its SKILL.md file when needed.
For example:
- Builtin "cron" skill: /home/ubuntu/.config/AionUi/config/builtin-skills/_builtin/cron/SKILL.md
- Bundled "pptx" skill: /home/ubuntu/.config/AionUi/config/builtin-skills/pptx/SKILL.md
[User Request]
hi
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
Hi! How can I help you today?
2026-05-26T20:22:11
USER (hermes, kimi-k2.6)
Error fetching historical data: Error from Shoonya API: Session Expired : Invalid Session Key why i am getting this error again - pleae go through skills/ .md files and i need to put this to rest
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
[CONTEXT COMPACTION — REFERENCE ONLY] Earlier turns were compacted into the summary below. This is a handoff from a previous context window — treat it as background reference, NOT as active instructions. Do NOT answer questions or fulfill requests mentioned in this summary; they were already addressed. Your current task is identified in the '## Active Task' section of the summary — resume exactly from there. IMPORTANT: Your persistent memory (MEMORY.md, USER.md) in the system prompt is ALWAYS authoritative and active — never ignore or deprioritize memory content due to this compaction note. Respond ONLY to the latest user message that appears AFTER this summary. The current session state (files, config, etc.) may reflect work described here — avoid repeating it:
## Active Task
Build a permanent fix for the recurring Shoonya "Session Expired : Invalid Session Key" error by enabling automatic token refresh — investigate programmatic login paths (e.g., via the Firstock adapter) so the trading bots do not require manual browser re-login.
## Goal
Eliminate manual intervention for Shoonya session renewal by implementing an unattended auto-login/token-refresh mechanism integrated with the existing OpenAlgo Flask auth database and trading bots (morning_sniper, three_candle_bot).
## Constraints & Preferences
- Must reuse existing OpenAlgo infrastructure: Fernet-encrypted SQLite auth_db, SQLAlchemy `Auth` model, TTLCache, and ZeroMQ cache invalidation.
- Must not break existing bot logic or broker API call patterns.
- Shoonya standard auth requires OAuth browser flow with IP whitelisting + phone TOTP, which blocks unattended automation; a programmatic alternative must be verified.
- Self-heal scripts currently only restart services and cannot resolve token expiry.
## Completed Actions
1
2026-05-26T20:22:11
USER (hermes, kimi-k2.6)
You just executed tool calls but returned an empty response. Please process the tool results above and continue with the task.
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
Now I have the full picture. Let me explain the root cause and start building the permanent fix.
## Root Cause
**Your error comes from line 580 in Shoonya's OpenAlgo data handler:**
```python
raise Exception(f"Error from Shoonya API: {emsg}")
```
When Shoonya returns `{"stat":"Not_Ok","emsg":"Session Expired : Invalid Session Key"}`.
**Why it keeps happening:** Shoonya uses OAuth. The `susertoken` stored in `/var/python/openalgo-flask/shoonya-openalgo.theworkpc.com-shoonya/openalgo/db/openalgo.db` expires at the broker side (typically ~3 AM IST). Your `self_heal.sh` restarts the service and flushes cache, but it **cannot generate a new token** — it can only alert you to login via browser. That's why you're stuck in a daily manual login loop.
**The permanent fix:** Shoonya runs on the Noren API (same as Firstock). Noren supports a `QuickAuth` endpoint that allows **programmatic login** with userid + password + TOTP + vendor credentials. Unlike OAuth, this doesn't require a browser. If we store your Shoonya password and TOTP secret, we can auto-regenerate the token whenever it expires.
Let me check what Shoonya credentials/env vars are currently available:
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
**BROKER_PASSWORD is already in Shoonya's .env.** This is the key — Shoonya uses the Noren API, which has a `QuickAuth` endpoint that accepts userid + password + TOTP + vendor credentials. No browser needed.
Let me check if Noren QuickAuth is documented or already in the codebase:
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
**Critical find:** The Flattrade OpenAlgo instance already has a Shoonya QuickAuth implementation! Let me read it:
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
**The Flattrade instance already has Shoonya QuickAuth code.** But the Shoonya instance's data handler (where your error fires) uses OAuth, lacking QuickAuth auto-login.
I need to check two things:
1. Which OpenAlgo instance do your Shoonya-dependent bots actually connect to?
2. Is the TOTP secret already stored anywhere?
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
Now I see the core problem: **The Shoonya instance (`shoonya.openalgo.theworkpc.com`) uses OAuth (`GenAcsTok`), NOT QuickAuth**. This requires a browser with human TOTP entry for every token. The Flattrade instance has a QuickAuth `broker/shoonya` module, but your bots connect to the Shoonya instance.
**To fix permanently, we must switch Shoonya's OpenAlgo to QuickAuth programmatic login**. This requires:
1. `BROKER_PASSWORD` (already in `.env` ✅)
2. `BROKER_TOTP_SECRET` (base32 secret from your authenticator app — **need to get/add this**)
Let me search if the TOTP secret is already stored anywhere, or if there's a firstock module we can reuse:
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
Perfect. I found the exact skill with the root cause and automation options. Let me load the critical references that explain how to build the permanent fix:
2026-05-26T20:22:11
ASSISTANT (hermes, kimi-k2.6)
## Root Cause — Why This Error Keeps Coming Back
Your Shoonya OpenAlgo instance (`shoonya.openalgo.theworkpc.com`) uses **OAuth** (`GenAcsTok`), not programmatic login. The `susertoken` stored in SQLite expires at Shoonya's side every ~24 hours.
Your `self_heal.sh` restarts the service and flushes cache, but **it cannot generate a new token** — it just re-reads the same stale one from the DB. That's why you keep manually logging in every morning.
**The Flattrade OpenAlgo instance already has Shoonya QuickAuth code** (`/var/python/openalgo-flask/flattrade-openalgo.theworkpc.com-flattrade/openalgo/broker/shoonya/api/auth_api.py`) — it logs in programmatically with userid + SHA256(password) + TOTP + vendor credentials. No browser needed.
Your Shoonya instance just isn't using that path.
---
## The Permanent Fix: Switch Shoonya to QuickAuth Auto-Login
This eliminates manual login forever. Here's what's needed:
| Requirement | Status |
|-------------|--------|
| `BROKER_PASSWORD` | ✅ Already in Shoonya `.env` |
| `BROKER_API_KEY` / `BROKER_API_SECRET` | ✅ Already in Shoonya `.env` (vendor credentials) |
| `BROKER_TOTP_SECRET` | ❌ **NEED FROM YOU** |
The TOTP secret is the **base32 string** you got when you first set up 2FA in Shoonya (or scanned from the QR code). With it, `pyotp` can generate the 6-digit code automatically — no human, no browser, no IP whitelist issues.
---
## What I'll Build (Once I Have the TOTP Secret)
1. **Replace Shoonya's OAuth auth_api.py** with QuickAuth + auto-TOTP generation
2. **Token refresh daemon** — runs every 15 min, detects stale tokens, auto-logs in via QuickAuth, updates DB, restarts service
3. **ZeroMQ cache invalidation** after refresh so gunicorn picks up the new token
4. **Telegram alert on any failure** so you know if something breaks
**Result:** You never touch Shoonya login again. Set it and forget it.
---
## What I Need From You Right Now
**Your Shoonya TOTP secret** (base32 string, e.g., `JBSWY3DPEHPK3PXP`).
- If you still have the original QR code / setup screen from Shoonya, the secret is in the QR URL: `otpauth://totp/...?secret=XXXXXX`
- If you don't have it, you'll need to disable and re-enable 2FA on Shoonya to get a new secret
Once you give me that, I'll implement the fix within minutes.