Accounts, tenancy & security
Sir Trades A Lot is fully multi-tenant: every account is an isolated workspace with its own money, positions, secrets, and settings. Here's how accounts, onboarding, and security work.
Onboarding (Setup wizard) /setup
Three per-tenant steps, everything encrypted and private to you:
- Get your Schwab keys — create an app at developer.schwab.com ("Accounts and Trading Production",
callback
https://127.0.0.1) and paste the App Key + Secret. - Connect your Schwab account — the in-dashboard OAuth (below).
- Add an AI Roundtable judge — a provider preset, model, base URL, and API key.
Connect Schwab /connect_schwab
Runs the Schwab OAuth entirely in the dashboard using your vaulted app key/secret — no server
access. Sign in, approve the app, and when the browser lands on a page that "fails to load," that's success:
copy the full URL and paste it back. The pasted URL is used once and discarded; the resulting token is stored
encrypted in your vault as schwab_token.
Profile /profile
Manage your own account: profile picture, name/email, and password. Shows your role and tenant id.
Admin pages (platform owner / admins)
- Users /admin/users owner — create and manage every account on the server; each gets an isolated tenant. Guards prevent removing the last admin or deleting your own account.
- Secrets backup /admin/backup — download a passphrase-encrypted, ciphertext-only backup of your secrets, restore from one, or reveal the server master key once (never logged, never in a URL).
Isolation & security model
- Vault-only credentials. Each tenant's Schwab creds and LLM keys live in their own encrypted vault. A tenant with no creds fails closed — it never borrows another tenant's account or keys.
- Every query is tenant-scoped. A regular user cannot reach another tenant's account, positions, money, or secrets.
- Owner-only admin. The first user (tenant 1) is the super-admin; the cross-tenant tools (Users, platform training) are reachable only by that tenant. Per-tenant tools (Bias audit, Secrets backup) are available to any admin, scoped to their own data.
- Web-security hardening. CSRF tokens on every state-changing request, SSRF guards on all outbound LLM/broker URLs, session cookies with SameSite=Lax and a 12-hour lifetime, login brute-force protection, a read-only viewer role, and open-redirect guards.
Transport. The site is served over HTTPS
(https://sirtradesalot.com). Sign in only over the HTTPS URL.