Security

Your keys. Your machine. Your call.

AES-256-GCM encrypted vault · NFA / CFTC-ready audit trail · weekend-gap aware guards · no broker passwords, no plaintext, no cloud retention.

The vault

Broker API keys live encrypted — per user, per session.

scrypt key derivation against a per-user salt. Same broker secret, different user → different ciphertext → no shared-state attack surface.

CredentialVault.ts

Format: salt:iv:authTag:ciphertext · base64 · colon-separated

derivedKey = scrypt(
  ENCRYPTION_SECRET + ':' + userId,
  salt,
  32
)
iv      = randomBytes(12)
cipher  = createCipheriv('aes-256-gcm', derivedKey, iv)
ct      = cipher.update(plaintext) + cipher.final()
authTag = cipher.getAuthTag()
row     = [salt, iv, authTag, ct].map(b => b.toString('base64')).join(':')

OANDA REST, FXCM REST, IG Markets X-API-KEY, IBKR Client Portal, Alpaca REST — all stored the same way.

Risk guards

Seven guardrails. Every one overridable.

Defaults tuned for 24/5 forex market hours and NFA Compliance Rule 2-43(b) guidelines. Tweak per strategy, per pair.

Guard	Default	Effect
maxDailyLossPct	2%	Strategy auto-pauses when unrealised + realised loss exceeds 2% of deployed capital.
maxPairExposure	30%	Per-pair position capped at 30% of total equity. Prevents single-pair blowup.
weekendGapAware	Always	All positions auto-flatten before Friday 5pm ET rollover when weekend-gap risk exceeds threshold.
minOrderEdgePct	0.03% post-cost	Orders rejected if post-commission edge < 3 bps. Configurable per strategy.
orderRateLimit	10/sec	Per broker, per minute. Respects NFA Compliance Rule 2-43(b) order-placement guidelines.
marginSafetyBuffer	15%	Leveraged positions reserve 15% margin headroom over broker requirement for intraday swings.
maxOpenOrders	5 per pair	Prevents laddering overflow on exotic pairs.

Compliance

NFA / CFTC-ready from day one.

Every order carries a unique broker-account-tagged ID. Full audit trail exportable for broker or regulator queries.

Order-ID tagged

Every fill traceable to strategy, timestamp, IP, broker account

Cross-broker ledger

Positions from every connected broker merge into one portfolio view

Accountant-friendly exports

CSV formatted for capital-gains and Section 988 forex reporting

Trust is a stack, not a slogan.

Every layer above is in production today. Ask hard questions — we ship the answers in code.

Request access See strategies