Trust Boundaries
- Platform ↔ TopstepX: API key authentication required
- Platform ↔ Database: Connection string authentication
- Users ↔ Platform: Session-based authentication (Google OAuth)
- TradingView ↔ Platform: Webhook endpoint (no auth, but validates user_id in payload)
Data Flows
- TradingView → Platform: Trade signals (symbol, direction, entry, stop, TP)
- Platform → TopstepX: Account queries, order placement, trade history
- TopstepX → Platform: Account balance, equity, realized P&L, open positions
- Platform ↔ Database: Risk config, trade records, user settings, logs
Security Notes
- TradingView webhooks include
user_id in payload (validated server-side)
- TopstepX API requires API key stored in database (encrypted at rest)
- Database credentials stored in environment variables
- All external communication uses HTTPS