Risk Management
Capital protection is not a feature in TRADEOS.tech — it is a design constraint. The system is built so that no single component failure, no single bad signal, and no single configuration mistake can produce an uncontrolled loss.
Risk is enforced at four independent layers. A trade must pass all four before an order reaches an exchange.
Layer 1 — Signal gating (Signal Engine)
Before a signal reaches the feasibility service, it is evaluated against:
- Minimum confidence threshold — signals below the profile's floor are dropped at the source. Default floors vary by signal type (carry signals require lower confidence than directional signals because they have lower variance).
- Regime compatibility — the HMM classifier labels the current market state (trending, mean-reverting, volatile). Signal generators incompatible with the current regime are suppressed. A mean-reversion signal in a strongly trending market never leaves the engine.
- VPIN crash detection gating — if the VPIN (Volume-Synchronized Probability of Informed Trading) alert level is elevated, directional signal confidence thresholds are raised and position size caps are reduced.
Effect of failure: If the signal engine crashes, no signals are generated and no new intents are published. The system is safe — existing positions continue to be monitored by the exit manager.
Layer 2 — Feasibility validation (Feasibility Service)
Every trade intent passes through the feasibility service before an order can be placed. This is the primary quantitative risk enforcement point.
Checks performed in order:
- Signal confidence floor — re-validated at feasibility with the profile's active threshold
- Kelly position sizing — computes the theoretically optimal position size based on estimated win rate, payoff ratio, and current portfolio value. The result is capped at the profile's maximum single-position size.
- Portfolio concentration limit — rejects trades that would concentrate more than the profile's maximum percentage of portfolio value in a single instrument or sector
- Drawdown state check — if the portfolio has breached a drawdown threshold, the drawdown breaker is active and new long trades are blocked (see Drawdown Protection)
- Market impact check — Almgren-Chriss modeling estimates the permanent and temporary price impact of the proposed order. If impact-adjusted expected value is negative, the trade is rejected
- Venue concentration limit — caps the percentage of portfolio that can be at risk on any single exchange venue
Effect of failure: Feasibility is fail-closed. If the service is unreachable, intents are rejected with a connectivity error. No trade can bypass feasibility.
Layer 3 — Position and exit management (Execution Service)
Once a position is open, the exit manager enforces loss limits at the position level:
- Per-trade stop loss — automatically exits if a position's loss exceeds the profile's
max_trade_loss_usdparameter - ATR-based trailing stop — dynamic stop that tightens as a position becomes profitable, locking in gains
- Maximum hold time — positions are closed after the profile's maximum hold time regardless of P&L
- Partial take-profit — scales out at configurable profit targets, reducing risk while maintaining exposure to continued moves
These are enforced by the execution service independently of the signal pipeline. Even if the signal engine stops producing signals, existing positions continue to be managed.
Layer 4 — Systemic safety (Dead-Man's Switch + Kill Switches)
The outermost safety layer handles system-level failures:
Dead-man's switch — the trading loop publishes a heartbeat on a fixed interval. If the heartbeat is absent for longer than the configured timeout, the dead-man's switch activates: all open positions are closed and no new orders are accepted until the switch is manually reset.
Emergency halt — a Redis key can be set to immediately halt all trading activity without restarting any containers. This takes effect within one heartbeat cycle (< 5 seconds). Positions are closed, intents are drained, and the system enters a safe idle state.
Autonomous agent kill switch — the autonomous agent (which proposes parameter changes) has an independent kill switch in Redis DB 2. It can be disabled instantly without affecting the trade pipeline.
Risk limits by profile
Each strategy profile enforces a distinct set of risk limits tuned to its risk tolerance. Parameters that vary across profiles include:
| Parameter | Conservative | Balanced | Aggressive |
|---|---|---|---|
| Min signal confidence | Higher threshold | Moderate threshold | Lower threshold |
| Max position size (% portfolio) | Tightly capped | Moderate cap | Broader cap |
| Max portfolio drawdown | Low tolerance | Moderate tolerance | Higher tolerance |
| Max per-trade loss | Smallest limit | Moderate limit | Largest limit |
| Max hold time | Shortest | Moderate | Longest |
| Kelly fraction cap | Smallest fraction | Moderate fraction | Broadest fraction |
Specific parameter values are proprietary and configured per deployment. See Strategy Profiles for a qualitative description of each profile's behavior.
Risk events and observability
Every risk limit breach, circuit breaker activation, and feasibility rejection is published to the risk_events Redis Stream. The dashboard displays these in real time. The autonomous agent monitors the risk event stream and can propose profile adjustments when rejection rates indicate the system is miscalibrated relative to current market conditions.