Your keys. Your machine. Your call.
AES-256-GCM encrypted vault · SEBI-ready audit trail · circuit-breaker aware guards · no broker passwords, no plaintext, no cloud retention.
The vault
Broker API keys live encrypted — per user, per session.
scrypt key derivation against a per-user salt. Same broker secret, different user → different ciphertext → no shared-state attack surface.
CredentialVault.ts
Format: salt:iv:authTag:ciphertext · base64 · colon-separated
derivedKey = scrypt(
ENCRYPTION_SECRET + ':' + userId,
salt,
32
)
iv = randomBytes(12)
cipher = createCipheriv('aes-256-gcm', derivedKey, iv)
ct = cipher.update(plaintext) + cipher.final()
authTag = cipher.getAuthTag()
row = [salt, iv, authTag, ct].map(b => b.toString('base64')).join(':')Risk guards
Seven guardrails. Every one overridable.
Defaults tuned for Indian market hours and SEBI ALGO guidelines. Tweak per strategy, per script.
| Guard | Default | Effect |
|---|---|---|
| maxDailyLossPct | 2% | Strategy auto-pauses when unrealised + realised loss exceeds 2% of deployed capital. |
| maxScripExposure | 30% | Per-script position capped at 30% of total capital. Prevents single-name blowup. |
| circuitFilterAware | Always | All orders skip stocks currently in upper/lower circuit. Auto-resume when band lifts. |
| minOrderEdgePct | 0.05% post-tax | Orders rejected if post-STT edge < 5 bps. Configurable per strategy. |
| orderRateLimit | 10/sec | Per broker, per minute. SEBI ALGO guideline-compliant. |
| spanMarginBuffer | 15% | F&O shorts reserve 15% over SPAN requirement for intraday MTM swings. |
| maxOpenOrders | 5 per script | Prevents iceberg overflow. |
Compliance
SEBI-ready from day one.
Every order carries a unique client-code-tagged ID. Full audit trail exportable for broker or regulator queries.
Order-ID tagged
Every fill traceable to strategy, timestamp, IP, client code
CAS-mapped
Connects to your CDSL/NSDL consolidated statement for full portfolio view
CA-friendly exports
CSV formatted for STCG/LTCG/intraday sections in ITR-2/ITR-3
Trust is a stack, not a slogan.
Every layer above is in production today. Ask hard questions — we ship the answers in code.