Security

Thetaghost is being built to be trusted with brokerage credentials and the contents of a trader’s journal. The architecture below is not aspirational — it is enforced by code, by tests, and by written invariants in the public ADR set. Anything that would weaken these invariants requires a new ADR and is treated as a shipping blocker.

Read-only brokerage connection

The IBKR connector cannot place, modify, or cancel orders. There is no placeOrder, no cancelOrder, no modifyOrder code path anywhere in the product. When the dashboard surfaces an action you might take, it does so as a deep link into TWS. Your broker never receives instructions from us — only requests for your own data.

Zero-knowledge encryption for journal content

Voice memos, transcripts, typed journal entries, and captured rationale are stored as ciphertext only. The encryption key (KEK) is derived from your password using Argon2id (m=64MiB, t=3, p=1) and lives in request scope only — never cached, never written to disk, never logged. Envelopes are AES-256-GCM with versioned framing (ENVELOPE_VERSION_CURRENT) so cryptographic upgrades are forward-compatible. Every customer holds a different data-encryption key; DEKs are never shared across users.

Operational metadata — positions, strikes, expiries, P&L — stays plaintext server-side because the integrity engine needs to read it. That trade-off is documented in ADR-0002. We chose a narrow rather than universal zero-knowledge envelope on purpose, and we say so plainly.

Mandatory TOTP MFA

Every customer account ships with TOTP multi-factor authentication enabled and required from day one. There is no opt-out for paid tiers. Recovery codes are generated at enrollment and shown once.

No third-party trackers

The dashboard ships with zero third-party analytics, advertising, or behavioural tracking. If we ever add analytics, it will be self-hosted Plausible or equivalent and disclosed before customer launch.

Per-account isolation

Every SQL query filters by account_id. Every cache key includes (user_id, account_id). The integrity engine processes one account at a time. A multi-account user cannot see one account’s alerts blamed on another account. This isolation is enforced at every layer, not just the UI.

No “should / recommend / suggest” copy

By policy, no auto-generated text in the product uses the words should, recommend, or suggest. Alerts say your rule says, is at, would trigger — never you should close. This keeps the product cleanly outside investment-adviser territory and is enforced by a CI grep gate, not just a style guide. See ADR-0003.

Infrastructure

Thetaghost is incorporated federally in Canada (CBCA). Production is hosted on Cloudflare Pages with a managed Postgres backend. Secrets are managed in Cloudflare Pages and a self-hosted vault that auto-shreds on first reveal. The brokerage connection runs from the user’s own environment in v0; managed connections come later and will be documented before they ship.

Reporting an issue

Security disclosures: [email protected]. We aim to acknowledge within 24 hours. Please disclose privately first; we will credit you publicly after a fix ships if you want the credit.