DEV Community: Michael Piscitelli

I Forged a Hyper-aware, Autonomous AI Crypto Trader with full control (And It Has Better Risk Management Than I Do)

Michael Piscitelli — Wed, 08 Apr 2026 23:04:05 +0000

The crypto markets are a dark, unforgiving place. It's a realm of endless, 24/7 chaos where traditional algorithmic trading bots march blindly to their slaughter. You write a Python script, hook up some moving average crossovers, and watch your portfolio slowly bleed out like a foot soldier caught in the vanguard.

Traditional bots are rigid. They don't understand context. They don't know that a falling Taker Buy/Sell ratio matters more right now than a lagging MACD, or that Extreme Fear on Reddit combined with an oversold StochRSI is a contrarian powder keg waiting to ignite.

I needed to forge something stronger. Coming from the trenches of hardware design and telecom engineering, you learn a fundamental truth about complex systems: surviving the chaos requires dynamic reasoning, not just hardcoded rules.

So, I built an autonomous trading engine. I handed the keys over to Claude, gave it a $10k paper-trading portfolio to start, and fed it a firehose of real-time market data.

Here is a look under the hood of how you force an LLM to stop acting like a helpful chatbot and start acting like a ruthless, calculated machine.

The Brain: One Prompt to Bind Them

You can't just ask an LLM, "Should I buy Bitcoin?" That is like asking a goblin to guard your gold—it will hallucinate, hedge, and give you useless financial disclaimers. You have to box it in. You have to build an ironclad cognitive framework.

My system prompt doesn't ask for opinions. It dictates a strict Signal Hierarchy for 1-hour directional predictions. I force the model to weigh inputs in a very specific order:

LEADING (Immediate momentum): Taker buy/sell ratio, Volume Delta (CVD), Orderbook imbalance. The front lines of the battle.
CONFIRMING (Validation): Multi-TF trend alignment (1H/4H/1D), VWAP distance, RSI.
STRUCTURAL (Risk mapping): Pivot Points, EMA stacks. The walls of the fortress.
REVERSAL (The Overrides): 4H RSI Divergence, extreme funding rates.

If it wants to short a structurally long market like crypto, I require it to provide at least two heavy bearish indicators (e.g., taker ratio <0.85 + bearish divergence). It must prove its case.

The Nervous System: The All-Seeing Eye

An LLM is only as good as its context window. To make this work, the backend acts as an all-seeing eye, aggregating an absurd amount of data every hour. We aren't just looking at Binance price action.

The bot ingests:

Derivatives Flow: Bybit/Coinglass funding rates, Open Interest, Long/Short ratios.
Technicals: 1H/4H/1D MACD, ADX, StochRSI, Bollinger Band widths.
On-Chain & Sentiment: ClankApp Whale activity, Fear & Greed index, DXY/SP500 macro scores.

Latency is the enemy. If you are trading 1-hour momentum, you need sub-second aggregation across 7+ APIs. The data must be fresh, or the decisions are already dead.

The Secret Weapon: Guarding the Hoard

Here is where 99% of AI trading projects fail: they treat every trade in a vacuum.

My bot is fully aware of its own wallet. I inject the PORTFOLIO STATE directly into the prompt. It knows exactly how much capital it has, its current win rate, and the exact P&L of open positions. It guards the hoard.

PORTFOLIO AWARENESS

Total Portfolio Value: $11,367.55 USDT

Available Balance: $8,764.57 USDT (77.1% cash)

Open Position: #1 BTC/USDT (22.9% of portfolio, currently +3.89% P&L)

I gave it strict exposure rules. If a position is profitable >20%, it must lock in gains. If the portfolio is >70% exposed, it has to minimize new entries.

The Crucible: Holding the Line

This is the fascinating part. The other day, BTC was sitting at $71,168. The trend was up. Traditional bots would have likely sounded the horns and slammed the "BUY" button because the price was above the VWAP and the daily MACD was glowing green.

But Claude saw something else in the shadows. It outputted its required JSON reasoning:

{
  "step_analysis": {
    "flow": "BEARISH LEADING SIGNALS: Taker ratio 0.819 (<0.9 = sell pressure), CVD falling (sellers dominating). Leading indicators conflict with uptrend - suggests pullback in progress.",
    "momentum": "CRITICAL: 1H bearish RSI divergence detected - reversal warning but not on 4H.",
    "context": "Funding 0.0056% healthy. Fear index 17 = EXTREME FEAR (strong contrarian buy). Whale activity extreme at $2.3B."
  },
  "prediction": "up",
  "confidence": 54,
  "signal_strength": "neutral_long",
  "reasoning": "Uptrend intact but short-term flow is bearish. Low confidence due to conflicting leading indicators. Already hold 22.9% BTC at +3.89% profit - no need to add with mixed signals. Hold existing position.",
  "position_action": null
}

It decided to do nothing. It recognized the bullish structure but saw the leading bearish flow (falling CVD, low taker ratio). More importantly, it looked at its portfolio, saw it already had 22% exposure in a profitable position, and decided the risk/reward wasn't there to throw more capital into the fray.

That level of restraint—choosing to HOLD the line in the face of conflicting data—is something most human traders take years and thousands of dollars in liquidations to learn.

The Execution: Raising the Shield Wall

But here is the kicker: deciding to "HOLD" doesn't mean the system is sleeping. It means it switches from acquisition mode to defense mode.

While it declined to allocate new capital, the engine autonomously calculated and placed a protective shield wall around the existing position, dispatching these simulated orders to the exchange:

Pair	Type	Price	Quantity (BTC)	Exchange	Status	Total Value
BTC/USDT	STOP LOSS	$69,016.99	0.018874	phemex	Simulated	$1,302.62 USDT
BTC/USDT	SELL LIMIT	$72,019.58	0.018874	phemex	Simulated	$1,359.29 USDT

Notice the mechanical precision. It didn't just throw a blind 5% stop loss into the void. It dynamically placed the stop at $69,016—safely tucked beneath the 4H EMA50 ($68,673) and the S1 pivot to avoid getting wicked out by localized volatility. Simultaneously, it set a limit sell above to automatically lock in partial gains if the RSI divergence resolved in a quick liquidity grab.

An LLM dynamically building an OCO (One-Cancels-the-Other) bracket based on real-time market structure.

The Road Goes Ever On

We are moving past the era of LLMs as simple code-assistants and entering the era of LLMs as autonomous execution engines. When you give an AI structured rules, massive context, and the ability to execute API calls, the results are slightly terrifying and deeply inspiring.

I'm continuing to refine the Herakles architecture, tweaking the weights, and hunting for more alpha in the data streams. The journey is far from over. I will start tracking and storing all the data to find an edge in historical analysis on this scale. Hourly snapshots of the big picture. Plotted together vs Price action.

Engine: Octobot (opensource, forked and expanded), Claude Sonnet/Opus 4.6 (cli execution with tmux)

I'm curious for the devs out there building high stakes agentic workflows:

How are you prompting your trading bots? What data informs the decisions? Does it give a simple Up/Down response?
How much data is too much, creating noise?

Let's discuss in the comments.

Please repost if you've made it this far!

see my other work, https://github.com/herakles-dev

My Claude Code agents don't trust each other — and that's the entire security model

Michael Piscitelli — Tue, 31 Mar 2026 05:33:31 +0000

Open-sourcing a private project should be simple: push to a public repo and write a README. In practice, it's terrifying.

GitGuardian's 2026 report found 29 million secrets leaked on GitHub last year, and AI-assisted commits leak credentials at 2x the baseline rate. Every .env file, every hardcoded API key, every internal domain reference, every docker-compose.yml with a plaintext database password — one careless git push away from being public.

I kept running into this every time I wanted to open-source something I'd built with Claude Code. The manual process — grep for secrets, replace internal references, check git history, write docs — was tedious, error-prone, and exactly the kind of thing that should be automated.

So I built 3 Claude Code agents that do it.

herakles-dev / opensource-pipeline

Safely open-source any project with Claude Code. 3-agent pipeline that strips secrets, verifies sanitization, and generates professional docs. Just say /opensource fork my-project.

opensource-pipeline

Safely open-source any project with Claude Code. A 3-agent pipeline that strips secrets, verifies sanitization, and generates professional documentation — so you can go from private repo to public GitHub in minutes.

Why

Open-sourcing a project is scary. Did you catch every API key? Every hardcoded password? Every internal domain reference? Every .env file?

This pipeline automates the boring, error-prone parts:

Forker agent strips secrets, replaces internal references, generates .env.example
Sanitizer agent independently audits the fork with 30+ detection patterns (secrets, PII, internal refs, dangerous files, git history)
Packager agent generates CLAUDE.md, setup.sh, README.md, LICENSE, CONTRIBUTING.md, and GitHub issue templates

The sanitizer is paranoid by design — false positives are acceptable, false negatives are not.

Quick Start

git clone https://github.com/herakles-dev/opensource-pipeline.git
cd opensource-pipeline
./setup.sh

That's it. The installer copies the skill and agents into your ~/.claude/ directory.

Then open Claude Code in any project:

cd

…

View on GitHub

How it works

One command:

/opensource fork my-project

Behind the scenes, 3 agents chain together in sequence. Each is a markdown file — no runtime, no dependencies, no Docker. Claude Code reads the instructions and follows the protocol.

Stage 1: The Forker

Copies your project, then hunts for secrets using 20 regex patterns:

AWS credentials (AKIA*, aws_secret_access_key)
GitHub tokens (ghp_*, ghs_*, github_pat_*)
Google OAuth (GOCSPX-*)
JWT tokens (eyJ*)
Private keys (-----BEGIN RSA PRIVATE KEY-----)
Database connection strings (postgres, mysql, mongodb, redis URLs with credentials)
Slack webhooks, SendGrid keys, Mailgun keys
High-entropy strings in config files

Every secret found gets extracted to a .env.example with a placeholder. Internal references — your domains, absolute paths, IP addresses, Docker network names, usernames — are replaced with configurable placeholders.

The forker never removes functionality. It parameterizes everything so the project still runs after someone does cp .env.example .env and fills in their values.

Stage 2: The Sanitizer

This is where the design gets interesting.

The sanitizer doesn't trust the forker. It's a completely independent, read-only auditor that re-scans the entire fork from scratch across 6 categories:

Category	Severity	What it checks
Secrets	CRITICAL	All 20 regex patterns, re-applied independently
PII	CRITICAL	Personal emails, phone numbers, private IPs, SSH strings
Internal references	CRITICAL	Custom domains, home directory paths, secret file refs
Dangerous files	CRITICAL	`.env`, `.pem`, `.key`, `credentials.json`, session state
Config completeness	WARNING	Every env var in code has a matching `.env.example` entry
Git history	CRITICAL	Secrets in past commits, clean single-commit history

A single critical finding blocks release. The verdict is PASS, FAIL, or PASS WITH WARNINGS — no grey area.

The sanitizer can report. It cannot fix. That separation of concerns is intentional. If the forker and sanitizer were the same agent, it would silently "fix" things it found — and you'd never know what it missed because it was also the one checking.

Stage 3: The Packager

Detects your tech stack (package.json, requirements.txt, Cargo.toml, go.mod, docker-compose.yml) and generates:

CLAUDE.md — so anyone who clones your repo and opens Claude Code can be productive immediately. Commands, architecture, key files, configuration — the operator's manual for Claude.
setup.sh — one-command bootstrap. Checks prerequisites, copies .env.example, installs dependencies.
README.md — features, quick start, prerequisites, Docker instructions, "Using with Claude Code" section.
LICENSE, CONTRIBUTING.md, GitHub issue templates

The architecture is 4 markdown files

skills/opensource/SKILL.md     # Orchestrator — routes commands, chains agents
agents/opensource-forker.md    # Stage 1: Copy, strip, replace, .env.example
agents/opensource-sanitizer.md # Stage 2: Independent read-only audit
agents/opensource-packager.md  # Stage 3: Generate CLAUDE.md, setup.sh, README

Total: 1,506 lines. No package.json. No requirements.txt. No build step. Each agent is a .md file with YAML frontmatter (name, description, model) and a body of natural language instructions that Claude Code follows.

The "code" is English.

Installation

git clone https://github.com/herakles-dev/opensource-pipeline.git
cd opensource-pipeline
./setup.sh    # Copies 4 files into ~/.claude/

Then open Claude Code in any project:

cd ~/my-private-project
claude
# Say: /opensource fork my-project

You can also say "open source this project" or "make this public" — the skill triggers on natural language too.

The adversarial review

Before publishing this repo, I ran 3 review agents against it in parallel:

Sanitizer audit — scanned for any leaked secrets, PII, internal references
Independence review — checked if the project works on a fresh machine with zero knowledge of my platform
Functional simulation — traced the entire setup.sh and skill execution flow as a new user

They found 12 issues: platform-specific metadata in agent frontmatter, a path resolution bug, missing rsync check in setup.sh, personal name in git commit author. All fixed before push.

The pipeline open-sourced itself.

What I learned

1. Agents are just markdown.

This was the biggest revelation. 1,506 lines across 4 files. No packages, no runtime, no build. Claude Code reads the markdown and follows the protocol. If you can write clear instructions for a human, you can write an agent.

The YAML frontmatter is 4 lines:

---
name: opensource-sanitizer
description: "Verify open-source fork is fully sanitized..."
model: sonnet
color: red
---

Everything below it is the agent's brain — written in plain English.

2. Zero trust between agents is worth the redundancy.

The sanitizer re-does the forker's work. In a traditional system, that's waste. In a security-critical pipeline, it's the feature. The forker's job is to transform. The sanitizer's job is to verify. If one agent does both, you've created a system that can silently paper over its own mistakes.

3. The paranoid option is the right default.

We tuned every detection threshold toward false positives. The sanitizer flags anything that looks remotely suspicious. A false positive is an annoying warning you dismiss. A false negative is a secret on GitHub. The asymmetry is extreme — always choose paranoia.

4. CLAUDE.md is the highest-leverage file in any repo.

Not README (that's for humans browsing GitHub). Not .env.example (that's for configuration). CLAUDE.md is the file that makes Claude Code productive in your project immediately. The packager generates one automatically, and it's often the single most useful artifact from the pipeline.

Contributing

The repo has 5 open issues tagged "good first issue":

Add detection patterns for Azure, GCP, Stripe, OpenAI, Anthropic API keys
Add Rust, Go, Java/Kotlin stack detection to the packager
Monorepo support
GitHub Actions CI for pattern testing
Community feedback thread

The easiest contribution is adding a regex pattern to the sanitizer. Find a secret type we don't detect, write the pattern, submit a PR.

Repo: herakles-dev/opensource-pipeline

MIT license. The whole thing is markdown. PRs welcome.

I am one with Opus. Its adorable, we complete each other sentences! Hah but for real, its unbeatable with the right harness.

Michael Piscitelli — Tue, 31 Mar 2026 04:07:21 +0000

I Built an Open-Source LLM Harness — AI Agents Interview, Plan, Build & Deploy Entire Apps From One Prompt | Any LLM | CLI

Michael Piscitelli — Tue, 17 Mar 2026 04:15:58 +0000

We hit submit on the Amazon Nova Hackathon with 2 minutes to spare.

12 days. 30,000 lines of Python. 9 playable games — all built by AI agents, zero human code. That's right, agent-inception!

See what it built →

## One Prompt In, Deployed App Out

Build a tower defense with 6 tower types and chain lightning

Nova Forge interviews you, decomposes the work into parallel tasks, assigns AI agents, runs adversarial quality review, and deploys. That prompt produced an 802-line playable game
in 341 seconds.

https://forge.herakles.dev/demos/

What Blew Our Minds

We wanted forge to produce a working app. Our test game had 5 bugs. We pointed the framework at its own output. Nova Pro found every bug, fixed them all in 26 seconds — including a
structural refactor using a tool we 'invented' that morning (replace_lines).

That debug session is now proof-of-work alongside the demo. The model fixing its own mistakes became our best feature-> zero manual debug loops.

The 6 Bugs Every Agent Framework Will Hit

We found these the hard way. Saving you the pain:

Agents describe code instead of writing it — your prompt must say "call write_file," not "complete the task"
Specs get summarized to death — "pseudo-3D racer with ACCEL=0.9" becomes "build a game" → wrong output
Building agents never see the spec — only task summaries reach them. Inject the full spec.
Verify phase kills multi-file builds — agent writes 80 lines, enters verify mode, wastes all turns
Missing tools are silent failures — without think, models dump reasoning as text
No path guidance = wrong directory — models love creating src/ when you want project root

Each one took hours to trace. We built fast, and broke things. But we finished the race! https://github.com/herakles-dev/nova-forge

The Stack

Pure Python — 35 modules, 1,670 tests, no JS dependencies
14 agent tools — read, write, edit, replace_lines, bash, grep, think
11 team formations — solo builds to 5-agent architecture reviews
3 model tiers — works with Nova Lite (32K), Pro (300K), Premier (1M)
LLM-agnostic — Bedrock, OpenAI, Anthropic adapters in the router
LLM-agnostic — Bedrock, OpenAI, Anthropic adapters in the router

Come Build With Us

The framework works. The bugs are documented. The hard problems are interesting.

What we need:

🔌 LLM adapters — Ollama, Groq, Mistral, Together
🧪 Benchmark scenarios — what breaks when you try to build X?
🛠️ Agent tools — test runners, git integration, package managers
🐛 Bug reports — try building something weird and tell us what happens
More consistent builds, a smarter system (the first time)

git clone https://github.com/herakles-dev/nova-forge.git
cd nova-forge && ./setup.sh
python3 forge_cli.py

⭐ https://github.com/herakles-dev/nova-forge | 🎮 https://forge.herakles.dev/demos/ | 🐛
https://forge.herakles.dev/guide.html
https://github.com/herakles-dev/nova-forge/issues

Anvil — A Writing Forge for Fellowship and Grant Applications (Open Source)

Michael Piscitelli — Sat, 14 Mar 2026 04:00:36 +0000

If you use a CLI-based LLM like Claude Code or Cursor to help with writing, you know the friction: edit files in one place, run the LLM in another, copy-paste between them.

Anvil bridges that gap. It is a browser-based writing workspace that reads and writes the same plain markdown files your LLM works with from the terminal.

What it does

Anvil gives you:

Block-level editing with inline review notes
Evidence sidebar (Ctrl+E) to search research files while drafting
Guided form fields with word counters, field guides, and tips
Status tracking: not_started to first_draft to human_written to ai_refined to final
Resume editor with split-pane HTML + live preview + PDF export
Export copy-paste-ready text for application portals

The workflow

You write first drafts in the browser. Your LLM reads and refines the same markdown files from the terminal. Status tracking keeps you honest about what is human-written vs AI-refined.

Stack

Flask 3.1 + Vanilla JS + SQLite + Docker. No build step. No npm.

The CLAUDE.md includes a full setup guide. Paste one prompt into your CLI and it interviews you, builds your evidence base, configures form fields, and writes your resume.

Get started

git clone https://github.com/herakles-dev/anvil.git
cd anvil
docker compose up -d

MIT licensed. Issues and PRs welcome.

GitHub: herakles-dev/anvil