Trust Boundaries
- Frontend ↔ Backend: HTTP/HTTPS API calls only (no direct database or TopstepX access)
- Backend ↔ Database: PostgreSQL connection pool (credentials from env)
- Backend ↔ TopstepX: REST API + SignalR WebSocket (API key from database)
Forbidden Paths (Red Dashed)
- ❌ Frontend → Database (direct)
- ❌ Frontend → TopstepX (direct)
Source of Truth Labels
- Risk State (Live Mode): TopstepX API (via
topstepxRiskState.js)
- Risk Config: PostgreSQL
risk_config table
- Trade History: PostgreSQL
alerts and alert_results tables
- Account Credentials: PostgreSQL
topstepx_credentials table
Key Responsibilities
- Frontend: UI rendering, user input, display risk state
- API Routes: Request handling, authentication, routing
- Risk Engine Integration: Orchestrates risk calculation with DB/TopstepX
- Risk Engine Core: Pure position sizing logic (no I/O)
- Live Trading Safety: Pre-flight checks before order placement
- TopstepX Risk State: Single source of truth for live account state
- TopstepX API Client: Low-level API communication
- Order Executor: Order building and placement