feat: Supabase-backed user data (portfolio, favorites, trades, alerts, notifications)

- Migration: 5 new tables (user_trades, favorites, price_alerts, notifications, portfolio_snapshots)
- Fixed portfolios table: added symbol column, made stock_id nullable
- Auto-create user_profiles on signup trigger
- 6 new API routes: /api/portfolio, /api/favorites, /api/watchlist, /api/trades, /api/alerts, /api/notifications
- Portfolio page: localStorage → Supabase with auto-migration fallback
- Favorites: async Supabase API with localStorage fallback for anonymous
- StockDetail & StockList: use async favorites API
- RLS + per-user policies on all new tables

nextjs-app/src/app/api/alerts/route.ts

@@ -0,0 +1,124 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { createClient } from '@/lib/supabase/server'
+
+export const dynamic = 'force-dynamic'
+
+// GET /api/alerts — kullanıcının fiyat alarmları
+export async function GET() {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const { data, error } = await supabase
+    .from('price_alerts')
+    .select('*')
+    .eq('user_id', user.id)
+    .order('created_at', { ascending: false })
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ alerts: data ?? [] })
+}
+
+// POST /api/alerts — yeni alarm kur
+export async function POST(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  let body: Record<string, unknown>
+  try { body = await req.json() } catch { return NextResponse.json({ error: 'Geçersiz JSON' }, { status: 400 }) }
+
+  const symbol = String(body.symbol || '').trim().toUpperCase()
+  const alertType = String(body.alert_type || '')
+  const targetValue = Number(body.target_value || 0)
+
+  if (!symbol || !['above', 'below', 'change_pct'].includes(alertType) || targetValue <= 0) {
+    return NextResponse.json(
+      { error: 'symbol, alert_type (above/below/change_pct), target_value (>0) gerekli' },
+      { status: 400 }
+    )
+  }
+
+  // Limit: max 20 active alerts per user
+  const { count } = await supabase
+    .from('price_alerts')
+    .select('*', { count: 'exact', head: true })
+    .eq('user_id', user.id)
+    .eq('is_active', true)
+
+  if ((count ?? 0) >= 20) {
+    return NextResponse.json({ error: 'Maksimum 20 aktif alarm kurabilirsiniz' }, { status: 429 })
+  }
+
+  const { data, error } = await supabase
+    .from('price_alerts')
+    .insert({
+      user_id: user.id,
+      symbol,
+      alert_type: alertType,
+      target_value: targetValue,
+      notes: body.notes || null,
+    })
+    .select()
+    .single()
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ alert: data }, { status: 201 })
+}
+
+// PATCH /api/alerts — alarmı güncelle (deaktive et vb.)
+export async function PATCH(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  let body: Record<string, unknown>
+  try { body = await req.json() } catch { return NextResponse.json({ error: 'Geçersiz JSON' }, { status: 400 }) }
+
+  const id = String(body.id || '')
+  if (!id) return NextResponse.json({ error: 'id gerekli' }, { status: 400 })
+
+  const updates: Record<string, unknown> = {}
+  if (body.is_active !== undefined) updates.is_active = Boolean(body.is_active)
+  if (body.target_value !== undefined) updates.target_value = Number(body.target_value)
+  if (body.notes !== undefined) updates.notes = body.notes
+
+  const { data, error } = await supabase
+    .from('price_alerts')
+    .update(updates)
+    .eq('id', id)
+    .eq('user_id', user.id)
+    .select()
+    .single()
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ alert: data })
+}
+
+// DELETE /api/alerts?id=xxx — alarm sil
+export async function DELETE(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const url = new URL(req.url)
+  const id = url.searchParams.get('id')
+  if (!id) return NextResponse.json({ error: 'id gerekli' }, { status: 400 })
+
+  const { error } = await supabase
+    .from('price_alerts')
+    .delete()
+    .eq('id', id)
+    .eq('user_id', user.id)
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ ok: true })
+}

nextjs-app/src/app/api/favorites/route.ts

@@ -0,0 +1,74 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { createClient } from '@/lib/supabase/server'
+
+export const dynamic = 'force-dynamic'
+
+// GET /api/favorites — kullanıcının favorileri
+export async function GET() {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const { data, error } = await supabase
+    .from('favorites')
+    .select('*')
+    .eq('user_id', user.id)
+    .order('created_at', { ascending: false })
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ items: data ?? [] })
+}
+
+// POST /api/favorites — favorilere ekle
+export async function POST(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  let body: Record<string, unknown>
+  try { body = await req.json() } catch { return NextResponse.json({ error: 'Geçersiz JSON' }, { status: 400 }) }
+
+  const symbol = String(body.symbol || '').trim().toUpperCase()
+  if (!symbol) return NextResponse.json({ error: 'symbol gerekli' }, { status: 400 })
+
+  const { data, error } = await supabase
+    .from('favorites')
+    .upsert(
+      { user_id: user.id, symbol, notes: body.notes || null },
+      { onConflict: 'user_id,symbol' }
+    )
+    .select()
+    .single()
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ item: data }, { status: 201 })
+}
+
+// DELETE /api/favorites?symbol=THYAO — favorilerden çıkar
+export async function DELETE(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const url = new URL(req.url)
+  const symbol = url.searchParams.get('symbol')?.trim().toUpperCase()
+  const id = url.searchParams.get('id')
+
+  if (!symbol && !id) {
+    return NextResponse.json({ error: 'symbol veya id gerekli' }, { status: 400 })
+  }
+
+  let query = supabase.from('favorites').delete().eq('user_id', user.id)
+  if (id) query = query.eq('id', id)
+  else if (symbol) query = query.eq('symbol', symbol)
+
+  const { error } = await query
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ ok: true })
+}

nextjs-app/src/app/api/notifications/route.ts

@@ -0,0 +1,59 @@
+import { NextResponse } from 'next/server'
+import { createClient } from '@/lib/supabase/server'
+
+export const dynamic = 'force-dynamic'
+
+// GET /api/notifications — kullanıcının bildirimleri
+export async function GET() {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const { data, error } = await supabase
+    .from('notifications')
+    .select('*')
+    .eq('user_id', user.id)
+    .order('created_at', { ascending: false })
+    .limit(50)
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+
+  const unreadCount = (data ?? []).filter((n) => !n.is_read).length
+
+  return NextResponse.json({ notifications: data ?? [], unread_count: unreadCount })
+}
+
+// PATCH /api/notifications — okundu olarak işaretle
+export async function PATCH(req: Request) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  let body: Record<string, unknown>
+  try { body = await req.json() } catch { return NextResponse.json({ error: 'Geçersiz JSON' }, { status: 400 }) }
+
+  // Mark single or all as read
+  if (body.id) {
+    const { error } = await supabase
+      .from('notifications')
+      .update({ is_read: true })
+      .eq('id', String(body.id))
+      .eq('user_id', user.id)
+
+    if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  } else if (body.mark_all_read) {
+    const { error } = await supabase
+      .from('notifications')
+      .update({ is_read: true })
+      .eq('user_id', user.id)
+      .eq('is_read', false)
+
+    if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  }
+
+  return NextResponse.json({ ok: true })
+}

nextjs-app/src/app/api/portfolio/route.ts

@@ -0,0 +1,195 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { createClient } from '@/lib/supabase/server'
+
+export const dynamic = 'force-dynamic'
+
+// GET /api/portfolio — kullanıcının portföyünü getir
+export async function GET() {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const { data, error } = await supabase
+    .from('portfolios')
+    .select('*')
+    .eq('user_id', user.id)
+    .order('created_at', { ascending: false })
+
+  if (error) {
+    return NextResponse.json({ error: error.message }, { status: 500 })
+  }
+
+  return NextResponse.json({ items: data ?? [] })
+}
+
+// POST /api/portfolio — yeni pozisyon ekle
+export async function POST(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  let body: Record<string, unknown>
+  try {
+    body = await req.json()
+  } catch {
+    return NextResponse.json({ error: 'Geçersiz JSON' }, { status: 400 })
+  }
+
+  const symbol = String(body.symbol || '').trim().toUpperCase()
+  const quantity = Number(body.quantity || body.shares || 0)
+  const avgPrice = Number(body.avg_purchase_price || body.average_price || body.price || 0)
+
+  if (!symbol || quantity <= 0 || avgPrice <= 0) {
+    return NextResponse.json(
+      { error: 'symbol, quantity (>0), avg_purchase_price (>0) gerekli' },
+      { status: 400 }
+    )
+  }
+
+  // UPSERT: aynı hisse varsa quantity ve avg_cost güncelle
+  const { data: existing } = await supabase
+    .from('portfolios')
+    .select('*')
+    .eq('user_id', user.id)
+    .eq('symbol', symbol)
+    .maybeSingle()
+
+  if (existing) {
+    const oldQty = Number(existing.quantity) || 0
+    const oldAvg = Number(existing.avg_purchase_price) || avgPrice
+    const newQty = oldQty + quantity
+    const newAvg = (oldAvg * oldQty + avgPrice * quantity) / newQty
+
+    const { data, error } = await supabase
+      .from('portfolios')
+      .update({ quantity: newQty, avg_purchase_price: Math.round(newAvg * 100) / 100 })
+      .eq('id', existing.id)
+      .select()
+      .single()
+
+    if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+
+    // Log trade
+    await supabase.from('user_trades').insert({
+      user_id: user.id,
+      symbol,
+      side: 'BUY',
+      quantity,
+      price: avgPrice,
+      notes: String(body.notes || ''),
+    })
+
+    return NextResponse.json({ item: data, merged: true })
+  }
+
+  const { data, error } = await supabase
+    .from('portfolios')
+    .insert({
+      user_id: user.id,
+      symbol,
+      quantity,
+      avg_purchase_price: avgPrice,
+      purchase_date: body.purchase_date || new Date().toISOString().split('T')[0],
+      notes: body.notes || null,
+    })
+    .select()
+    .single()
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+
+  // Log trade
+  await supabase.from('user_trades').insert({
+    user_id: user.id,
+    symbol,
+    side: 'BUY',
+    quantity,
+    price: avgPrice,
+    notes: String(body.notes || ''),
+  })
+
+  return NextResponse.json({ item: data }, { status: 201 })
+}
+
+// PATCH /api/portfolio — pozisyon güncelle
+export async function PATCH(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  let body: Record<string, unknown>
+  try {
+    body = await req.json()
+  } catch {
+    return NextResponse.json({ error: 'Geçersiz JSON' }, { status: 400 })
+  }
+
+  const id = String(body.id || '')
+  if (!id) return NextResponse.json({ error: 'id gerekli' }, { status: 400 })
+
+  const updates: Record<string, unknown> = {}
+  if (body.quantity !== undefined) updates.quantity = Number(body.quantity)
+  if (body.avg_purchase_price !== undefined) updates.avg_purchase_price = Number(body.avg_purchase_price)
+  if (body.notes !== undefined) updates.notes = body.notes
+
+  const { data, error } = await supabase
+    .from('portfolios')
+    .update(updates)
+    .eq('id', id)
+    .eq('user_id', user.id)
+    .select()
+    .single()
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ item: data })
+}
+
+// DELETE /api/portfolio — pozisyon sil (satış)
+export async function DELETE(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const url = new URL(req.url)
+  const id = url.searchParams.get('id')
+  const symbol = url.searchParams.get('symbol')
+  const sellPrice = Number(url.searchParams.get('sell_price') || 0)
+
+  if (!id && !symbol) {
+    return NextResponse.json({ error: 'id veya symbol gerekli' }, { status: 400 })
+  }
+
+  // Get position before deleting (for trade log)
+  let query = supabase.from('portfolios').select('*').eq('user_id', user.id)
+  if (id) query = query.eq('id', id)
+  else if (symbol) query = query.eq('symbol', symbol)
+
+  const { data: position } = await query.maybeSingle()
+
+  if (position && sellPrice > 0) {
+    // Log sell trade
+    await supabase.from('user_trades').insert({
+      user_id: user.id,
+      symbol: position.symbol || symbol,
+      side: 'SELL',
+      quantity: position.quantity,
+      price: sellPrice,
+    })
+  }
+
+  let delQuery = supabase.from('portfolios').delete().eq('user_id', user.id)
+  if (id) delQuery = delQuery.eq('id', id)
+  else if (symbol) delQuery = delQuery.eq('symbol', symbol)
+
+  const { error } = await delQuery
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ ok: true })
+}

nextjs-app/src/app/api/trades/route.ts

@@ -0,0 +1,98 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { createClient } from '@/lib/supabase/server'
+
+export const dynamic = 'force-dynamic'
+
+// GET /api/trades — kullanıcının işlem geçmişi
+export async function GET(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const url = new URL(req.url)
+  const symbol = url.searchParams.get('symbol')
+  const limit = Math.min(Number(url.searchParams.get('limit') || 50), 200)
+  const offset = Number(url.searchParams.get('offset') || 0)
+
+  let query = supabase
+    .from('user_trades')
+    .select('*', { count: 'exact' })
+    .eq('user_id', user.id)
+    .order('trade_date', { ascending: false })
+    .range(offset, offset + limit - 1)
+
+  if (symbol) {
+    query = query.eq('symbol', symbol.toUpperCase())
+  }
+
+  const { data, error, count } = await query
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ trades: data ?? [], total: count ?? 0 })
+}
+
+// POST /api/trades — manuel işlem ekle
+export async function POST(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  let body: Record<string, unknown>
+  try { body = await req.json() } catch { return NextResponse.json({ error: 'Geçersiz JSON' }, { status: 400 }) }
+
+  const symbol = String(body.symbol || '').trim().toUpperCase()
+  const side = String(body.side || '').toUpperCase()
+  const quantity = Number(body.quantity || 0)
+  const price = Number(body.price || 0)
+
+  if (!symbol || !['BUY', 'SELL'].includes(side) || quantity <= 0 || price <= 0) {
+    return NextResponse.json(
+      { error: 'symbol, side (BUY/SELL), quantity (>0), price (>0) gerekli' },
+      { status: 400 }
+    )
+  }
+
+  const { data, error } = await supabase
+    .from('user_trades')
+    .insert({
+      user_id: user.id,
+      symbol,
+      side,
+      quantity,
+      price,
+      commission: Number(body.commission || 0),
+      notes: body.notes || null,
+      trade_date: body.trade_date || new Date().toISOString(),
+    })
+    .select()
+    .single()
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ trade: data }, { status: 201 })
+}
+
+// DELETE /api/trades?id=xxx — işlem sil
+export async function DELETE(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const url = new URL(req.url)
+  const id = url.searchParams.get('id')
+  if (!id) return NextResponse.json({ error: 'id gerekli' }, { status: 400 })
+
+  const { error } = await supabase
+    .from('user_trades')
+    .delete()
+    .eq('id', id)
+    .eq('user_id', user.id)
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ ok: true })
+}

nextjs-app/src/app/api/watchlist/route.ts

@@ -0,0 +1,91 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { createClient } from '@/lib/supabase/server'
+
+export const dynamic = 'force-dynamic'
+
+// GET /api/watchlist — kullanıcının takip listesi
+export async function GET() {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const { data, error } = await supabase
+    .from('watchlists')
+    .select('*')
+    .eq('user_id', user.id)
+    .order('created_at', { ascending: false })
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ items: data ?? [] })
+}
+
+// POST /api/watchlist — takip listesine ekle
+export async function POST(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  let body: Record<string, unknown>
+  try { body = await req.json() } catch { return NextResponse.json({ error: 'Geçersiz JSON' }, { status: 400 }) }
+
+  const symbol = String(body.symbol || '').trim().toUpperCase()
+  if (!symbol) return NextResponse.json({ error: 'symbol gerekli' }, { status: 400 })
+
+  // Find stock_id if exists
+  const { data: stock } = await supabase
+    .from('stocks')
+    .select('id')
+    .eq('symbol', symbol)
+    .maybeSingle()
+
+  const { data, error } = await supabase
+    .from('watchlists')
+    .upsert({
+      user_id: user.id,
+      stock_id: stock?.id || null,
+      symbol,
+      alert_price_above: body.alert_price_above || null,
+      alert_price_below: body.alert_price_below || null,
+      alert_on_news: body.alert_on_news || false,
+      notes: body.notes || null,
+    }, { onConflict: 'user_id,stock_id' })
+    .select()
+    .single()
+
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ item: data }, { status: 201 })
+}
+
+// DELETE /api/watchlist?symbol=THYAO — takip listesinden çıkar
+export async function DELETE(req: NextRequest) {
+  const supabase = await createClient()
+  const { data: { user }, error: authErr } = await supabase.auth.getUser()
+  if (!user || authErr) {
+    return NextResponse.json({ error: 'Giriş gerekli' }, { status: 401 })
+  }
+
+  const url = new URL(req.url)
+  const id = url.searchParams.get('id')
+  const symbol = url.searchParams.get('symbol')
+
+  if (!id && !symbol) {
+    return NextResponse.json({ error: 'id veya symbol gerekli' }, { status: 400 })
+  }
+
+  let query = supabase.from('watchlists').delete().eq('user_id', user.id)
+  if (id) query = query.eq('id', id)
+  // For symbol, find via stocks table
+  if (symbol && !id) {
+    const { data: stock } = await supabase.from('stocks').select('id').eq('symbol', symbol.toUpperCase()).maybeSingle()
+    if (stock) query = query.eq('stock_id', stock.id)
+    else return NextResponse.json({ error: 'Hisse bulunamadı' }, { status: 404 })
+  }
+
+  const { error } = await query
+  if (error) return NextResponse.json({ error: error.message }, { status: 500 })
+  return NextResponse.json({ ok: true })
+}

nextjs-app/src/app/favorites/page.tsx

@@ -4,7 +4,7 @@ import { useCallback, useEffect, useMemo, useState } from 'react'
 import Link from 'next/link'
 import { Star, Trash2, Plus, RefreshCw } from 'lucide-react'
 import { useAuth } from '@/contexts/AuthContext'
-import { addFavorite, loadFavorites, removeFavorite, type FavoriteItem } from '@/lib/favorites'
+import { addFavoriteAsync, loadFavoritesAsync, removeFavoriteAsync, type FavoriteItem } from '@/lib/favorites'
 import { formatCurrency, formatPercent } from '@/lib/utils'
 import { toNumber } from '@/lib/api-utils'
 import { NoFavorites } from '@/components/EmptyState'
@@ -30,7 +30,7 @@ export default function FavoritesPage() {
   const refresh = useCallback(async () => {
     try {
       setLoading(true)
-      const favs = loadFavorites(userKey)
+      const favs = await loadFavoritesAsync(userKey)
       setFavorites(favs)
 
       if (favs.length === 0) {
@@ -74,18 +74,17 @@ export default function FavoritesPage() {
     refresh()
   }, [refresh])
 
-  const onAdd = () => {
+  const onAdd = async () => {
     const sym = symbolInput.trim().toUpperCase()
     if (!sym) return
-    const next = addFavorite(sym, userKey)
+    const next = await addFavoriteAsync(sym, userKey)
     setFavorites(next)
     setSymbolInput('')
-    // Best-effort: refresh prices
     refresh()
   }
 
-  const onRemove = (symbol: string) => {
-    const next = removeFavorite(symbol, userKey)
+  const onRemove = async (symbol: string) => {
+    const next = await removeFavoriteAsync(symbol, userKey)
     setFavorites(next)
     setRows((prev) => prev.filter((r) => r.symbol !== symbol))
   }

nextjs-app/src/app/portfolio/page.tsx

@@ -38,54 +38,101 @@ function PortfolioContent() {
   const [showAddForm, setShowAddForm] = useState(false);
 
   const fetchPortfolio = useCallback(async () => {
+    if (!user) return;
     try {
-      // For now, we'll use localStorage as Supabase portfolio table needs to be created
-      const stored = localStorage.getItem(`portfolio_${user?.id}`);
-      if (stored) {
-        const items: PortfolioItem[] = JSON.parse(stored);
+      // Fetch from Supabase via API
+      const resp = await fetch('/api/portfolio');
+      const json = await resp.json().catch(() => null);
 
-        // Batch fetch current prices (single request instead of N+1)
-        const symbols = items.map((item) => item.symbol).join(',');
-        let batchData: Record<string, unknown> = {};
-        try {
-          const batchResp = await fetch(`/api/stocks/batch?symbols=${encodeURIComponent(symbols)}`);
-          const batchJson = await batchResp.json().catch(() => null);
-          batchData = batchJson?.stocks || {};
-        } catch {
-          // Fall back to empty, each stock will use average_price
+      let items: PortfolioItem[] = [];
+
+      if (resp.ok && json?.items?.length > 0) {
+        items = json.items.map((row: Record<string, unknown>) => ({
+          id: String(row.id),
+          symbol: String(row.symbol || ''),
+          shares: Number(row.quantity || 0),
+          average_price: Number(row.avg_purchase_price || 0),
+          created_at: String(row.created_at || ''),
+        }));
+      } else {
+        // Fallback: migrate from localStorage if exists
+        const stored = localStorage.getItem(`portfolio_${user.id}`);
+        if (stored) {
+          const localItems: PortfolioItem[] = JSON.parse(stored);
+          // Migrate each to Supabase
+          for (const li of localItems) {
+            try {
+              await fetch('/api/portfolio', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({
+                  symbol: li.symbol,
+                  quantity: li.shares,
+                  avg_purchase_price: li.average_price,
+                }),
+              });
+            } catch { /* ignore migration errors */ }
+          }
+          localStorage.removeItem(`portfolio_${user.id}`);
+          // Re-fetch from Supabase
+          const resp2 = await fetch('/api/portfolio');
+          const json2 = await resp2.json().catch(() => null);
+          if (json2?.items) {
+            items = json2.items.map((row: Record<string, unknown>) => ({
+              id: String(row.id),
+              symbol: String(row.symbol || ''),
+              shares: Number(row.quantity || 0),
+              average_price: Number(row.avg_purchase_price || 0),
+              created_at: String(row.created_at || ''),
+            }));
+          }
         }
+      }
 
-        const enriched = items.map((item) => {
-          const data = batchData[item.symbol] as Record<string, Record<string, unknown> | undefined> | undefined;
-          const rawLast = data?.stock?.last_price;
-          const parsedLast = typeof rawLast === 'number' ? rawLast : Number(rawLast);
-          const hasLivePrice = Number.isFinite(parsedLast) && parsedLast > 0;
-          const currentPrice = hasLivePrice ? parsedLast : item.average_price;
+      if (items.length === 0) {
+        setPortfolio([]);
+        return;
+      }
 
-          const totalValue = item.shares * currentPrice;
-          const totalCost = item.shares * item.average_price;
-          const profitLoss = hasLivePrice ? (totalValue - totalCost) : 0;
-          const profitLossPct = hasLivePrice && totalCost > 0 ? (profitLoss / totalCost) * 100 : 0;
+      // Batch fetch current prices
+      const symbols = items.map((item) => item.symbol).join(',');
+      let batchData: Record<string, unknown> = {};
+      try {
+        const batchResp = await fetch(`/api/stocks/batch?symbols=${encodeURIComponent(symbols)}`);
+        const batchJson = await batchResp.json().catch(() => null);
+        batchData = batchJson?.stocks || {};
+      } catch { /* price fetch failed, use avg cost */ }
 
-          return {
-            ...item,
-            current_price: currentPrice,
-            name: String(data?.stock?.name || item.symbol),
-            total_value: totalValue,
-            profit_loss: profitLoss,
-            profit_loss_pct: profitLossPct,
-            price_is_fallback: !hasLivePrice,
-          };
-        });
+      const enriched = items.map((item) => {
+        const data = batchData[item.symbol] as Record<string, Record<string, unknown> | undefined> | undefined;
+        const rawLast = data?.stock?.last_price;
+        const parsedLast = typeof rawLast === 'number' ? rawLast : Number(rawLast);
+        const hasLivePrice = Number.isFinite(parsedLast) && parsedLast > 0;
+        const currentPrice = hasLivePrice ? parsedLast : item.average_price;
 
-        setPortfolio(enriched);
-      }
+        const totalValue = item.shares * currentPrice;
+        const totalCost = item.shares * item.average_price;
+        const profitLoss = hasLivePrice ? (totalValue - totalCost) : 0;
+        const profitLossPct = hasLivePrice && totalCost > 0 ? (profitLoss / totalCost) * 100 : 0;
+
+        return {
+          ...item,
+          current_price: currentPrice,
+          name: String(data?.stock?.name || item.symbol),
+          total_value: totalValue,
+          profit_loss: profitLoss,
+          profit_loss_pct: profitLossPct,
+          price_is_fallback: !hasLivePrice,
+        };
+      });
+
+      setPortfolio(enriched);
     } catch (error) {
       console.error('Failed to fetch portfolio:', error);
     } finally {
       setLoading(false);
     }
-  }, [user?.id]);
+  }, [user]);
 
   useEffect(() => {
     if (user) {
@@ -93,30 +140,27 @@ function PortfolioContent() {
     }
   }, [user, fetchPortfolio]);
 
-  const addToPortfolio = (symbol: string, shares: number, price: number) => {
-    const newItem: PortfolioItem = {
-      id: Date.now().toString(),
-      symbol,
-      shares,
-      average_price: price,
-      created_at: new Date().toISOString()
-    };
-    
-    const stored = localStorage.getItem(`portfolio_${user?.id}`) || '[]';
-    const items: PortfolioItem[] = JSON.parse(stored);
-    items.push(newItem);
-    localStorage.setItem(`portfolio_${user?.id}`, JSON.stringify(items));
-    
-    fetchPortfolio();
-    setShowAddForm(false);
+  const addToPortfolio = async (symbol: string, shares: number, price: number) => {
+    try {
+      await fetch('/api/portfolio', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ symbol, quantity: shares, avg_purchase_price: price }),
+      });
+      fetchPortfolio();
+      setShowAddForm(false);
+    } catch (error) {
+      console.error('Failed to add to portfolio:', error);
+    }
   };
 
-  const removeFromPortfolio = (id: string) => {
-    const stored = localStorage.getItem(`portfolio_${user?.id}`) || '[]';
-    const items: PortfolioItem[] = JSON.parse(stored);
-    const filtered = items.filter(item => item.id !== id);
-    localStorage.setItem(`portfolio_${user?.id}`, JSON.stringify(filtered));
-    fetchPortfolio();
+  const removeFromPortfolio = async (id: string) => {
+    try {
+      await fetch(`/api/portfolio?id=${encodeURIComponent(id)}`, { method: 'DELETE' });
+      fetchPortfolio();
+    } catch (error) {
+      console.error('Failed to remove from portfolio:', error);
+    }
   };
 
   const totalValue = portfolio.reduce((sum, item) => sum + item.total_value, 0);

nextjs-app/src/components/StockDetail.tsx

@@ -8,7 +8,7 @@ import { formatCurrency, formatPercent, formatNumber } from '@/lib/utils'
 import { TrendingUp, TrendingDown, ArrowLeft, Star, BarChart3, Activity, Brain, ChevronDown, ChevronUp } from 'lucide-react'
 import Link from 'next/link'
 import { useAuth } from '@/contexts/AuthContext'
-import { loadFavorites, toggleFavorite } from '@/lib/favorites'
+import { loadFavoritesAsync, toggleFavoriteAsync } from '@/lib/favorites'
 import type { TechnicalIndicator } from '@/types'
 
 // Lazy load the heavy chart component
@@ -39,8 +39,9 @@ export function StockDetail({ symbol }: { symbol: string }) {
   const userKey = user?.id
 
   useEffect(() => {
-    const favs = loadFavorites(userKey)
-    setIsFav(favs.some((f) => f.symbol === String(symbol).toUpperCase()))
+    loadFavoritesAsync(userKey).then(favs => {
+      setIsFav(favs.some((f) => f.symbol === String(symbol).toUpperCase()))
+    })
   }, [symbol, userKey])
 
   useEffect(() => {
@@ -113,8 +114,8 @@ export function StockDetail({ symbol }: { symbol: string }) {
                   <h1 className="text-2xl font-bold text-white">{stock.symbol}</h1>
                   <button
                     type="button"
-                    onClick={() => {
-                      const res = toggleFavorite(stock.symbol, userKey)
+                    onClick={async () => {
+                      const res = await toggleFavoriteAsync(stock.symbol, userKey)
                       setIsFav(res.nowFavorite)
                     }}
                     className="p-1.5 rounded-lg hover:bg-gray-800 transition-colors"

nextjs-app/src/components/StockList.tsx

@@ -9,7 +9,7 @@ import { Star, TrendingUp, TrendingDown } from 'lucide-react'
 
 import { fetchJson } from '@/lib/http'
 import { useAuth } from '@/contexts/AuthContext'
-import { loadFavorites, toggleFavorite } from '@/lib/favorites'
+import { loadFavoritesAsync, toggleFavoriteAsync } from '@/lib/favorites'
 import { toNumber } from '@/lib/api-utils'
 
 type StockRow = Partial<StockSummary> & {
@@ -45,8 +45,9 @@ export function StockList() {
   const userKey = user?.id
 
   useEffect(() => {
-    const favs = loadFavorites(userKey)
-    setFavoriteSymbols(new Set(favs.map((f) => f.symbol)))
+    loadFavoritesAsync(userKey).then(favs => {
+      setFavoriteSymbols(new Set(favs.map((f) => f.symbol)))
+    })
   }, [userKey])
 
   useEffect(() => {
@@ -133,8 +134,8 @@ export function StockList() {
                   <div className="flex items-center gap-2">
                     <button
                       type="button"
-                      onClick={() => {
-                        const { next } = toggleFavorite(stock.symbol, userKey)
+                      onClick={async () => {
+                        const { next } = await toggleFavoriteAsync(stock.symbol, userKey)
                         setFavoriteSymbols(new Set(next.map((f) => f.symbol)))
                       }}
                       className="p-1 rounded hover:bg-gray-100"

nextjs-app/src/lib/favorites.ts

@@ -5,17 +5,122 @@ export interface FavoriteItem {
 
 const FAVORITES_PREFIX = 'borsa.favorites.'
 
-function safeParseJson(value: string | null): unknown {
-  if (!value) return null
+function normalizeSymbol(value: unknown): string {
+  return String(value || '').trim().toUpperCase()
+}
+
+/** Cached in-memory store to avoid repeated fetches within same page */
+let _cache: FavoriteItem[] | null = null
+let _cacheUserId: string | null = null
+
+function invalidateCache() {
+  _cache = null
+  _cacheUserId = null
+}
+
+// --------------- Async (Supabase-backed) API ---------------
+
+export async function loadFavoritesAsync(userId?: string | null): Promise<FavoriteItem[]> {
+  if (!userId) return []
+  if (_cache && _cacheUserId === userId) return _cache
+
   try {
-    return JSON.parse(value)
-  } catch {
-    return null
+    const resp = await fetch('/api/favorites')
+    const json = await resp.json().catch(() => null)
+    if (resp.ok && json?.items) {
+      const items: FavoriteItem[] = (json.items as Record<string, unknown>[]).map((r) => ({
+        symbol: String(r.symbol || ''),
+        added_at: String(r.created_at || r.added_at || new Date().toISOString()),
+      }))
+      items.sort((a, b) => (a.added_at < b.added_at ? 1 : -1))
+      _cache = items
+      _cacheUserId = userId
+      // Migrate from localStorage if Supabase was empty but localStorage has data
+      if (items.length === 0 && typeof window !== 'undefined') {
+        const key = `${FAVORITES_PREFIX}${userId}`
+        const stored = window.localStorage.getItem(key)
+        if (stored) {
+          try {
+            const local = JSON.parse(stored) as { symbol?: string; added_at?: string }[]
+            if (Array.isArray(local) && local.length > 0) {
+              for (const li of local) {
+                const sym = normalizeSymbol(li.symbol)
+                if (sym) {
+                  await fetch('/api/favorites', {
+                    method: 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body: JSON.stringify({ symbol: sym }),
+                  })
+                }
+              }
+              window.localStorage.removeItem(key)
+              invalidateCache()
+              return loadFavoritesAsync(userId)
+            }
+          } catch { /* ignore */ }
+        }
+      }
+      return items
+    }
+  } catch { /* network error */ }
+
+  // Fallback to localStorage
+  return loadFavorites(userId)
+}
+
+export async function addFavoriteAsync(symbol: string, _userId?: string | null): Promise<FavoriteItem[]> {
+  const sym = normalizeSymbol(symbol)
+  if (!sym) return _cache || []
+  try {
+    await fetch('/api/favorites', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ symbol: sym }),
+    })
+    invalidateCache()
+  } catch { /* fallback handled below */ }
+  return loadFavoritesAsync(_userId)
+}
+
+export async function removeFavoriteAsync(symbol: string, _userId?: string | null): Promise<FavoriteItem[]> {
+  const sym = normalizeSymbol(symbol)
+  if (!sym) return _cache || []
+  try {
+    await fetch(`/api/favorites?symbol=${encodeURIComponent(sym)}`, { method: 'DELETE' })
+    invalidateCache()
+  } catch { /* fallback */ }
+  return loadFavoritesAsync(_userId)
+}
+
+export async function toggleFavoriteAsync(
+  symbol: string,
+  userId?: string | null
+): Promise<{ next: FavoriteItem[]; nowFavorite: boolean }> {
+  const sym = normalizeSymbol(symbol)
+  if (!sym) return { next: [], nowFavorite: false }
+  const items = await loadFavoritesAsync(userId)
+  const exists = items.some((i) => i.symbol === sym)
+  if (exists) {
+    const next = await removeFavoriteAsync(sym, userId)
+    return { next, nowFavorite: false }
   }
+  const next = await addFavoriteAsync(sym, userId)
+  return { next, nowFavorite: true }
 }
 
-function normalizeSymbol(value: unknown): string {
-  return String(value || '').trim().toUpperCase()
+export async function isFavoriteAsync(symbol: string, userId?: string | null): Promise<boolean> {
+  const sym = normalizeSymbol(symbol)
+  if (!sym) return false
+  const items = await loadFavoritesAsync(userId)
+  return items.some((i) => i.symbol === sym)
+}
+
+// --------------- Synchronous (localStorage) fallback API ---------------
+// Kept for SSR and anonymous users
+
+function safeParseJson(value: string | null): unknown {
+  if (!value) return null
+  try { return JSON.parse(value) } catch { return null }
 }
 
 function normalizeItem(input: unknown): FavoriteItem | null {
@@ -37,9 +142,7 @@ export function loadFavorites(userId?: string | null): FavoriteItem[] {
   const parsed = safeParseJson(window.localStorage.getItem(key))
   if (!Array.isArray(parsed)) return []
   const items = parsed.map(normalizeItem).filter(Boolean) as FavoriteItem[]
-  // Newest first
   items.sort((a, b) => (a.added_at < b.added_at ? 1 : a.added_at > b.added_at ? -1 : 0))
-  // Dedupe by symbol
   const seen = new Set<string>()
   const deduped: FavoriteItem[] = []
   for (const it of items) {
@@ -59,8 +162,7 @@ export function saveFavorites(items: FavoriteItem[], userId?: string | null): vo
 export function isFavorite(symbol: string, userId?: string | null): boolean {
   const sym = normalizeSymbol(symbol)
   if (!sym) return false
-  const items = loadFavorites(userId)
-  return items.some((i) => i.symbol === sym)
+  return loadFavorites(userId).some((i) => i.symbol === sym)
 }
 
 export function addFavorite(symbol: string, userId?: string | null): FavoriteItem[] {

supabase/migrations/20260216_user_features.sql

@@ -0,0 +1,261 @@
+-- ============================================
+-- USER FEATURES MIGRATION
+-- Adds: user_trades, price_alerts, notifications,
+--       favorites table + fixes portfolios for real use
+-- Date: 16 Şubat 2026
+-- ============================================
+
+-- ============================================
+-- 1. USER TRADES (İşlem Geçmişi)
+-- Her kullanıcının al/sat geçmişi
+-- ============================================
+CREATE TABLE IF NOT EXISTS user_trades (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+  symbol TEXT NOT NULL,
+  side TEXT NOT NULL CHECK (side IN ('BUY', 'SELL')),
+  quantity INTEGER NOT NULL CHECK (quantity > 0),
+  price DECIMAL(12,2) NOT NULL CHECK (price > 0),
+  commission DECIMAL(10,2) DEFAULT 0,
+  total_cost DECIMAL(14,2) GENERATED ALWAYS AS (quantity * price + commission) STORED,
+  notes TEXT,
+  trade_date TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+);
+
+CREATE INDEX idx_user_trades_user ON user_trades(user_id, trade_date DESC);
+CREATE INDEX idx_user_trades_symbol ON user_trades(user_id, symbol, trade_date DESC);
+
+COMMENT ON TABLE user_trades IS 'Kullanıcı işlem geçmişi — her al/sat kaydı';
+
+-- RLS
+ALTER TABLE user_trades ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "Users can view own trades" ON user_trades FOR SELECT USING (auth.uid() = user_id);
+CREATE POLICY "Users can insert own trades" ON user_trades FOR INSERT WITH CHECK (auth.uid() = user_id);
+CREATE POLICY "Users can update own trades" ON user_trades FOR UPDATE USING (auth.uid() = user_id);
+CREATE POLICY "Users can delete own trades" ON user_trades FOR DELETE USING (auth.uid() = user_id);
+
+GRANT SELECT, INSERT, UPDATE, DELETE ON user_trades TO authenticated;
+
+-- ============================================
+-- 2. FAVORITES TABLE (Favoriler)
+-- Kullanıcının favori hisseleri — localStorage'dan Supabase'e taşınıyor
+-- ============================================
+CREATE TABLE IF NOT EXISTS favorites (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+  symbol TEXT NOT NULL,
+  notes TEXT,
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+  UNIQUE(user_id, symbol)
+);
+
+CREATE INDEX idx_favorites_user ON favorites(user_id, created_at DESC);
+
+COMMENT ON TABLE favorites IS 'Kullanıcı favori hisseleri';
+
+-- RLS
+ALTER TABLE favorites ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "Users can view own favorites" ON favorites FOR SELECT USING (auth.uid() = user_id);
+CREATE POLICY "Users can insert own favorites" ON favorites FOR INSERT WITH CHECK (auth.uid() = user_id);
+CREATE POLICY "Users can delete own favorites" ON favorites FOR DELETE USING (auth.uid() = user_id);
+
+GRANT SELECT, INSERT, DELETE ON favorites TO authenticated;
+
+-- ============================================
+-- 3. PRICE ALERTS (Fiyat Alarmları)
+-- Hisse belirli fiyata gelince bildirim
+-- ============================================
+CREATE TABLE IF NOT EXISTS price_alerts (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+  symbol TEXT NOT NULL,
+  alert_type TEXT NOT NULL CHECK (alert_type IN ('above', 'below', 'change_pct')),
+  target_value DECIMAL(12,2) NOT NULL,
+  is_triggered BOOLEAN DEFAULT FALSE,
+  triggered_at TIMESTAMP WITH TIME ZONE,
+  triggered_price DECIMAL(12,2),
+  is_active BOOLEAN DEFAULT TRUE,
+  notes TEXT,
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+);
+
+CREATE INDEX idx_price_alerts_user ON price_alerts(user_id, is_active);
+CREATE INDEX idx_price_alerts_active ON price_alerts(symbol, is_active) WHERE is_active = TRUE;
+
+COMMENT ON TABLE price_alerts IS 'Fiyat alarmları — hedefe ulaşınca tetiklenir';
+
+-- RLS
+ALTER TABLE price_alerts ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "Users can view own alerts" ON price_alerts FOR SELECT USING (auth.uid() = user_id);
+CREATE POLICY "Users can insert own alerts" ON price_alerts FOR INSERT WITH CHECK (auth.uid() = user_id);
+CREATE POLICY "Users can update own alerts" ON price_alerts FOR UPDATE USING (auth.uid() = user_id);
+CREATE POLICY "Users can delete own alerts" ON price_alerts FOR DELETE USING (auth.uid() = user_id);
+
+GRANT SELECT, INSERT, UPDATE, DELETE ON price_alerts TO authenticated;
+
+-- ============================================
+-- 4. NOTIFICATIONS (Bildirimler)
+-- Kullanıcıya gösterilen bildirimler
+-- ============================================
+CREATE TABLE IF NOT EXISTS notifications (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+  type TEXT NOT NULL CHECK (type IN ('alert', 'trade', 'system', 'news', 'ml_signal')),
+  title TEXT NOT NULL,
+  message TEXT,
+  data JSONB,
+  is_read BOOLEAN DEFAULT FALSE,
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
+);
+
+CREATE INDEX idx_notifications_user ON notifications(user_id, is_read, created_at DESC);
+CREATE INDEX idx_notifications_unread ON notifications(user_id, created_at DESC) WHERE is_read = FALSE;
+
+COMMENT ON TABLE notifications IS 'Kullanıcı bildirimleri';
+
+-- RLS
+ALTER TABLE notifications ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "Users can view own notifications" ON notifications FOR SELECT USING (auth.uid() = user_id);
+CREATE POLICY "Users can update own notifications" ON notifications FOR UPDATE USING (auth.uid() = user_id);
+CREATE POLICY "Users can delete own notifications" ON notifications FOR DELETE USING (auth.uid() = user_id);
+-- System can insert for any user (via service role)
+CREATE POLICY "Service can insert notifications" ON notifications FOR INSERT WITH CHECK (true);
+
+GRANT SELECT, UPDATE, DELETE ON notifications TO authenticated;
+-- INSERT requires service_role (backend inserts notifications)
+
+-- ============================================
+-- 5. FIX PORTFOLIOS TABLE
+-- Mevcut tablo stock_id FK gerektiriyor ama frontend symbol string kullanıyor
+-- Alternatif: symbol-based portfolio column ekliyoruz
+-- ============================================
+ALTER TABLE portfolios ADD COLUMN IF NOT EXISTS symbol TEXT;
+ALTER TABLE portfolios ALTER COLUMN stock_id DROP NOT NULL;
+
+-- Symbol-based unique constraint (stock_id artık zorunlu değil)
+-- Eski constraint kaldırma güvenli — zaten veri yok
+DO $$
+BEGIN
+  -- Drop old unique if exists
+  IF EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'portfolios_user_id_stock_id_key') THEN
+    ALTER TABLE portfolios DROP CONSTRAINT portfolios_user_id_stock_id_key;
+  END IF;
+EXCEPTION WHEN OTHERS THEN NULL;
+END $$;
+
+-- Yeni unique: user_id + symbol
+CREATE UNIQUE INDEX IF NOT EXISTS idx_portfolios_user_symbol ON portfolios(user_id, symbol) WHERE symbol IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_portfolios_symbol ON portfolios(symbol);
+
+-- ============================================
+-- 6. PORTFOLIO SNAPSHOTS (Günlük portföy değeri)
+-- Equity curve çizmek için
+-- ============================================
+CREATE TABLE IF NOT EXISTS portfolio_snapshots (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+  date DATE NOT NULL,
+  total_value DECIMAL(14,2) NOT NULL,
+  total_cost DECIMAL(14,2) NOT NULL,
+  cash_balance DECIMAL(14,2) DEFAULT 0,
+  positions_count INTEGER DEFAULT 0,
+  daily_pnl DECIMAL(12,2),
+  daily_pnl_pct DECIMAL(6,2),
+  created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
+  UNIQUE(user_id, date)
+);
+
+CREATE INDEX idx_portfolio_snapshots_user ON portfolio_snapshots(user_id, date DESC);
+
+COMMENT ON TABLE portfolio_snapshots IS 'Günlük portföy snapshots — equity curve için';
+
+-- RLS
+ALTER TABLE portfolio_snapshots ENABLE ROW LEVEL SECURITY;
+CREATE POLICY "Users can view own snapshots" ON portfolio_snapshots FOR SELECT USING (auth.uid() = user_id);
+CREATE POLICY "Users can insert own snapshots" ON portfolio_snapshots FOR INSERT WITH CHECK (auth.uid() = user_id);
+
+GRANT SELECT, INSERT ON portfolio_snapshots TO authenticated;
+
+-- ============================================
+-- 7. USEFUL FUNCTIONS
+-- ============================================
+
+-- Get user portfolio summary
+CREATE OR REPLACE FUNCTION get_user_portfolio_summary(p_user_id UUID)
+RETURNS JSONB AS $$
+DECLARE
+  result JSONB;
+BEGIN
+  SELECT jsonb_build_object(
+    'positions_count', COUNT(*),
+    'total_cost', COALESCE(SUM(quantity * avg_purchase_price), 0),
+    'symbols', COALESCE(jsonb_agg(DISTINCT symbol), '[]'::jsonb)
+  ) INTO result
+  FROM portfolios
+  WHERE user_id = p_user_id AND quantity > 0;
+
+  RETURN COALESCE(result, '{}'::jsonb);
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+-- Get user trade stats
+CREATE OR REPLACE FUNCTION get_user_trade_stats(p_user_id UUID)
+RETURNS JSONB AS $$
+DECLARE
+  result JSONB;
+BEGIN
+  SELECT jsonb_build_object(
+    'total_trades', COUNT(*),
+    'buy_count', COUNT(*) FILTER (WHERE side = 'BUY'),
+    'sell_count', COUNT(*) FILTER (WHERE side = 'SELL'),
+    'total_volume', COALESCE(SUM(quantity * price), 0),
+    'first_trade', MIN(trade_date),
+    'last_trade', MAX(trade_date)
+  ) INTO result
+  FROM user_trades
+  WHERE user_id = p_user_id;
+
+  RETURN COALESCE(result, '{}'::jsonb);
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+-- ============================================
+-- 8. AUTO-CREATE PROFILE ON SIGNUP
+-- Trigger: auth.users INSERT → user_profiles INSERT
+-- ============================================
+CREATE OR REPLACE FUNCTION handle_new_user()
+RETURNS TRIGGER AS $$
+BEGIN
+  INSERT INTO user_profiles (id, display_name, settings)
+  VALUES (
+    NEW.id,
+    COALESCE(NEW.raw_user_meta_data->>'display_name', split_part(NEW.email, '@', 1)),
+    jsonb_build_object(
+      'theme', 'light',
+      'language', 'tr',
+      'notifications', true,
+      'default_period', '1M'
+    )
+  )
+  ON CONFLICT (id) DO NOTHING;
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;
+
+-- Drop old trigger if exists, then create
+DROP TRIGGER IF EXISTS on_auth_user_created ON auth.users;
+CREATE TRIGGER on_auth_user_created
+  AFTER INSERT ON auth.users
+  FOR EACH ROW
+  EXECUTE FUNCTION handle_new_user();
+
+-- ============================================
+-- DONE
+-- ============================================
+DO $$ BEGIN
+  RAISE NOTICE '✅ User features migration completed!';
+  RAISE NOTICE 'New tables: user_trades, favorites, price_alerts, notifications, portfolio_snapshots';
+  RAISE NOTICE 'Fixed: portfolios now supports symbol-based (not only stock_id FK)';
+  RAISE NOTICE 'Added: auto-create user_profiles on signup trigger';
+END $$;

trading/auto_trader.py

@@ -54,7 +54,6 @@ from trading.risk_gate import RiskGate, RiskLimits
 from trading.circuit_breaker import CircuitBreaker
 from trading.db_store import TradingStore
 from trading.model_risk import ModelRiskManager
-from data.stock_data_api import get_stock_data_for_api
 
 logger = logging.getLogger("trading.auto_trader")
 
@@ -337,6 +336,7 @@ def run_trading_cycle(
     logger.info("Step 2: Checking existing positions for SL/TP/expiry...")
     for sym, pos in list(broker._positions.items()):
         try:
+            from data.stock_data_api import get_stock_data_for_api
             ticker = sym if sym.endswith(".IS") else f"{sym}.IS"
             df_px = get_stock_data_for_api(ticker, period="5d", interval="1d")
             if df_px is None or df_px.empty: