Platform architecture

Every layer.
Mapped.

Sixty-five business capabilities and seventy technical capabilities across the platform - the substrate, the engines, the operations layer. Most of it stays invisible during a normal trading day. The highlights are grouped below, one card per domain - with the engine that powers each.

65
Business capabilities
70
Technical capabilities
1.2M
Lines of code

AI Orchestration

8 capabilities

Chat-driven onboarding, strategy authoring, and execution routing through a 5-stage orchestrator pipeline.

5-stage pipeline, plan-and-approve, per-stage cost ledger
Inside
  • 5-stage orchestrator pipeline
    Normalize → Route (Haiku) → Context (Sonnet, parallel) → Guardrail (Haiku) → Composer (deterministic) → Frontier (Opus, hop-capped)
  • MCP gateway
    Session-scoped servers across 14 sibling clusters; tools scoped to speaker's permissions
  • Plan-and-approve workflow
    Write-intent persists as a plan artifact; approver permissions re-checked at execute; idempotent on replay
  • Three-tier conversation memory
    Session 16K chars, user 10K chars, pool 10K chars - independent sharding axes
  • Per-user AI cost ledger
    Router / Context / Guardrail / Composer / Frontier / Tool / BatchApply rows; 1M tokens or 50 USD per 24h
  • Cancel & replay-safe AI runs
    6 run states; 30-day retention; mid-flight cancel never leaves UI hanging
  • Multi-provider LLM transport
    Per-provider and per-model circuit breaker; full-jitter exponential backoff; Anthropic + OpenAI + Bedrock + Local
  • Encrypted secret vending
    Provider API keys AES-256-GCM encrypted column-side; catalog changes broadcast under 1s

Vault & Custody

9 capabilities

The most complex engine we ship - 13,499 lines, 20 sibling clusters - because custody is the only thing we refuse to keep simple.

13,499-line engine, custody-free, mTLS, our own PKI
Inside
  • Vault service - 13,499 lines
    4,079 code + 6,996 settings, 10 services, 8 outer API handlers, 5 WebSocket topics, 20 sibling clusters
  • Custody-free / sovereign vault model
    Funds stay on your exchange or wallet - we orchestrate flows, never hold the keys
  • Whitelist enforcement
    Withdrawals only reach pre-approved addresses; deposit and withdraw flows tracked step by step
  • Token barriers for real-time revocation
    Per-user, per-IP, per-pool revocation; 60s eviction worker; no central blacklist DB
  • Three-tier token system
    Outer (60min-24h), inner (5-20min self-renewing), danger (10min, locked to one operation on one resource)
  • AES-256-GCM with AAD context binding
    12-byte IV, 16-byte GCM auth tag, AAD = id:name - a secret for container A cannot decrypt as B
  • Internal PKI with ECDSA P-384
    CFSSL v1.6.5 pinned; 5-year CA, 3-year child certs; no internet PKI dependency
  • mTLS certificate distribution
    6 cert types over a signed internal channel; hot-reload, cert rotation never takes anything offline
  • Dual-layer permission model
    Platform hierarchy (None → Architect) crossed with pool hierarchy (Participant → Owner)

Strategy Engine

5 capabilities

16,083 lines of strategy service and a 4,852-line flow engine - the second largest piece we ship.

16K-line strategy engine, JSON-defined, no compilation
Inside
  • Strategy service - 16,083 lines
    3,373 code + 6,793 settings, 17 services, 11 outer API handlers, 18 sibling clusters
  • Flow engine for multi-step trades
    4,852 lines; one orchestrator behind every buy, sell, convert, transfer, rebalance, deposit, withdraw
  • JSON-defined strategies
    No compilation, no programming knowledge - complex metrics, limits, actions, and states in a single profile
  • Profile system: catalogs + controls
    What strategies can do, how they are tuned per instance; non-engineers ship new variants
  • Per-strategy exception tracking + metric service
    Every exception logged per-strategy; dedicated metric service feeds backtest and comparison

Execution & Markets

7 capabilities

One order schema across every venue. 14 services in the exchanges feature alone.

Unified spot orders, immutable P&L, VWAP across exchanges
Inside
  • Unified spot order model
    2,270-line order feature; one schema across venues; MCP-exposed so AI can manage orders
  • Immutable trade history
    2,279 lines; append-only ledger, continuous P&L gap computation, cached COUNT(*)
  • Exchanges registry
    Largest feature by service count - 14 services, 7 outer API handler groups, per-venue isolation + kill-switch
  • Multi-type fetcher fleet
    16+ fetcher types covering CEX, DEX, and central-bank macro (Fed policy rates included)
  • VWAP cross-exchange pricing
    Compound sharding key baseSymbolKey/quoteSymbolKey; 100ms aggregation, 5,000-item batch persistence
  • Chain + bridge catalogs
    11 chain services, 6 bridge services; every chain knows its bridges, assets, and wallets
  • On-chain transactions with dual sync
    Reconciled against both the vault and the strategy that triggered it, in real time

Market Intelligence

6 capabilities

Heatmap-first asset catalog, exchange capability flags, and a five-tab chain drill-down.

5-mode heatmap, 30 venue flags, chain drill-down
Inside
  • Heatmap asset catalog
    5-mode size dimension (24h vol / dominance / price) × 5-window color dimension (now / 1h / 24h / 1w / 1m)
  • Exchange detail with 30 capability flags
    802 lines; spot, margin, futures, options, P2P, OTC, swap, DEX, NFT, staking, lending, deposit / withdraw methods
  • Five-tab chain drill-down
    Assets, Markets, Exchanges, Bridges, Wallets - each preserves chain context across sub-detail pages
  • Multi-timeframe market terminal
    Per-exchange pair comparison, live orderbook + ticker streams, smart-route estimator
  • Aggregated user limits
    Rate and volume caps based on subscription tier and KYC level, enforced at API layer before feature logic
  • Country / zone / region metadata
    One authoritative country registry with phone codes; feeds address forms, KYC, payment routing

Pools, Store & Billing

8 capabilities

Multi-user organizations with investors, segments, fees, and a store carrying servers, nodes, strategies, and vaults.

23-service pool, 28-service store, plan-tier API gating
Inside
  • Pool / investor primitive
    23 services (10 core + 13 social); investor, transaction, segment, alert, poll, todo - substrate for funds and family offices
  • Store catalog
    Largest feature by service count - 28 services; per-type product schema with definitions, access, profiles, ratings
  • Plan-tier API gating
    Tiers don't just hide UI - they gate the API via UserPlanLevel in the permission middleware
  • Node / server lifecycle over WebSocket
    10 messages: bye, deploy, error, hello, notify, pause, running, stop, sync, undeploy - live in the UI
  • Crypto deposit address service
    Customers can pay in crypto; deposit addresses managed inside accounting with the same audit trail as fiat
  • Coupon + credit balance system
    Built-in coupon engine and credit-balance ledger; dispute resolution and promo without external billing tools
  • Country-aware payment methods
    Payment availability scoped per jurisdiction so the right rails show up for the right country
  • Run-trace artifact for AI approval audit
    Every approved AI plan can persist a full run-trace artifact (ai-run-trace.v1) for after-the-fact review

Sharding & Routing

6 capabilities

Every record lands in one of 32,767 deterministic slots. Add a server and traffic routes itself.

32,767 slots, XXHash, 4 invocation types
Inside
  • XXHash slot sharding across 32,767 slots
    Range [1, 32767] PostgreSQL smallint positive; same algorithm in proxy, app, and DB layers
  • DatabaseManager query builder
    2,843 lines, 100+ methods; auto slot assignment, parameterized #-placeholders, upsert with detected unique fields
  • Slot-aware cluster calls
    ShardedSingle, ShardedMulticast, ShardedBatched, Broadcast - all in a single API; O(log n) slot lookup
  • At-least-once retry with deterministic ensure keys
    Durable _replays table; 20-batch tick, 1,000 max retries; 5s initial delay, 15s graceful drain
  • Etcd-backed platform discovery
    32K+ line entities file; 30s lock TTL; sequential entity-graph load on startup
  • 3-tier leader election
    Per-container, per-domain, and per-feature leaders - cert rotation, backups, and coordination never collide

WebSocket & Real-time

5 capabilities

1,308-line gateway, 100ms batched push, 4-state subscription lifecycle.

100ms batches, pub/sub topics, 4-state lifecycle
Inside
  • WebSocket gateway with topic pub/sub
    1,308-line gateway, 806-line topic manager; 3-level subscription tree; 100ms batched push
  • Two-phase aggregation pipeline
    100ms in-memory aggregation worker + 5,000-item batched persistence every 5min + 500ms broadcast
  • 4-state watch lifecycle
    Pending → Committed → RePending → Unwatched; exponential backoff 2s-20s; reconnect on auth change
  • Debounced diff broadcasting
    500ms handler + 500ms global level prevents request storms on multi-tab idle re-activation
  • Self-hosted snapshot manager
    4,364 lines; temporal sampling (hourly / daily), spatial binning (per-market, per-asset), gap healing

Security & PKI

7 capabilities

Our own certificate authority, mTLS by default, three token types - and a danger token locked to one operation on one resource.

Own PKI, mTLS default, AAD-bound secrets
Inside
  • Token barriers for real-time revocation
    450-line manager, 60s eviction worker; per-user / per-IP / per-pool revocation
  • Three-tier token system
    Outer 60min-24h, inner 5-20min self-renewing, danger 10min locked to one operation on one resource
  • AES-256-GCM with AAD context binding
    404-line SecretManager; AAD = id:name; a secret for container A cannot decrypt as B
  • CFSSL internal PKI with ECDSA P-384
    592-line wrapper; 5-year CA, 3-year child certs; no internet PKI dependency
  • mTLS certificate distribution
    602-line handler, 6 cert types; SHA256-signed timestamp with ±10s window
  • Dual-layer permission model
    516-line permission core; platform hierarchy crossed with pool hierarchy
  • Ray-ID error tracking
    Every internal error carries a ray ID returned to the client for distributed-fleet tracing

Cluster & State

5 capabilities

4 granularity levels of state across container, feature, app-feature, and application. Drain one shard while the rest keeps trading.

4-level state machines, 16-state app lifecycle
Inside
  • 4-level state machines
    Platform / Feature / ApplicationFeature / Application states; 16 transitions on Application (Init → Deploying → … → Exited)
  • Traefik mTLS mesh
    530-line Traefik wrapper, 710-line proxy manipulator; mTLS by default (RequireAndVerifyClientCert)
  • 3-tier rate limiting
    API, WebSocket, Static tiers each with separate burst / average / period configurable in PlatformInfo
  • Heartbeat metrics every 60s
    715-line ticks manager; CPU user / system, memory RSS / heap, event-loop lag, warn / error counters - no Prometheus dependency
  • Cluster class with 1,088 lines
    Four invocation types over mTLS - ShardedSingle, ShardedMulticast, ShardedBatched, Broadcast - in one API

AI Provider Layer

5 capabilities

Aggregated catalog, encrypted secret vending, per-provider circuit breaker, three-tier memory.

Circuit breaker, AAD-bound secrets, three-tier memory
Inside
  • Multi-provider LLM transport
    1,896-line provider helper; 5 failures / 60s opens breaker, 30s half-open; full-jitter exponential backoff
  • Aggregated AI catalog
    1,680-line admin handler; orchestrator flavors Miro1 (default) / Piro1 / Piro2 / Local
  • Encrypted secret vending
    Provider secrets AES-256-GCM, column-side; catalog changes broadcast to every shard under 1s
  • Three-tier memory
    Session (16K chars / 40 entries), user (10K / 60), pool (10K / 60) - independent sharding axes
  • MCP gateway
    Session-scoped servers wired into 14 sibling clusters; tools split by permission level (Associate / Moderator)

HTTP & API Framework

5 capabilities

Every list endpoint speaks the same query language. One SDK pattern works across every resource.

Versioned /v1, 14-cluster reach, scoped keys
Inside
  • Versioned /v1 partner API
    1 service reaching 14 sibling clusters; 10 outer handlers under /platform-api/:anyKey/v1
  • API key scoping by feature group
    Public groups (assets, markets, exchanges, blockchain) open data; private (trading, vaults, strategies, nodes, pools) require scoped keys
  • API key lifecycle integrated with user / pool
    Delete a user or pool and their API keys revoke in the same operation - no orphan credentials
  • Standardized list-endpoint framework
    1,203-line handler framework; 10-500 pagination, 256-char search cap, typed error responses
  • Excel export with formulas
    188-line helper; live formulas, total-row support, in-memory buffer - no third-party service

Data & Aggregation

5 capabilities

Same engine pulls Binance ticker data, Uniswap gas prices, and Fed policy rates.

Hot 100ms + cold 5min, 16+ fetcher types
Inside
  • Two-phase aggregation pipeline
    Hot data 100ms in-memory; cold data 5,000-row batches every 5min; broadcast every 500ms
  • Multi-type fetcher fleet
    16+ types: CEX market data, DEX (gas, portfolio, token), TradFi (Fed policy, inflation, bond benchmark, M2)
  • Snapshot manager 4,364 lines
    Self-hosted time-series engine that any service can opt into; gap healing built-in
  • DatabaseManager
    2,843 lines, 100+ methods; auto slot assignment; approximate count/size from pg_class to avoid full table scans
  • Compound sharding for trading pairs
    Each pair sharded by both legs - VWAP, best-ask, best-bid, spread co-located and synced within 100ms

Build & Tooling

4 capabilities

Distributed certificate generation, automated container scaling, daily backups - we wrote the operations layer too.

Own load balancer, no Prometheus, daily backups
Inside
  • Codebase linter enforces house style
    Built-in validate.config rules: no collections, no console, const usage - machine-checked at every commit
  • Distributed cert generation and management
    Including Let's Encrypt; cert rotation hot-reload across the fleet
  • Automated container scaling up / down
    Cluster management + networking + resilience + database replication, daily automated backups
  • Context-aware load balancer
    In-house Go modifications; DNS-level routing of sharded containers (Users, Pools, Strategies, Exchanges, Markets)
Read further

Two more places to dig deeper.

The AI compliance brief covers governance, data flows, and the regulatory posture. The security page covers PKI, token barriers, and how custody-free actually works.

AI compliance brief Security posture