Accounts, tenancy & security

Sir Trades A Lot is fully multi-tenant: every account is an isolated workspace with its own money, positions, secrets, and settings. Here's how accounts, onboarding, and security work.

Onboarding (Setup wizard) /setup

Three per-tenant steps, everything encrypted and private to you:

  1. Get your Schwab keys — create an app at developer.schwab.com ("Accounts and Trading Production", callback https://127.0.0.1) and paste the App Key + Secret.
  2. Connect your Schwab account — the in-dashboard OAuth (below).
  3. Add an AI Roundtable judge — a provider preset, model, base URL, and API key.

Connect Schwab /connect_schwab

Runs the Schwab OAuth entirely in the dashboard using your vaulted app key/secret — no server access. Sign in, approve the app, and when the browser lands on a page that "fails to load," that's success: copy the full URL and paste it back. The pasted URL is used once and discarded; the resulting token is stored encrypted in your vault as schwab_token.

Profile /profile

Manage your own account: profile picture, name/email, and password. Shows your role and tenant id.

Admin pages (platform owner / admins)

  • Users /admin/users owner — create and manage every account on the server; each gets an isolated tenant. Guards prevent removing the last admin or deleting your own account.
  • Secrets backup /admin/backup — download a passphrase-encrypted, ciphertext-only backup of your secrets, restore from one, or reveal the server master key once (never logged, never in a URL).

Isolation & security model

  • Vault-only credentials. Each tenant's Schwab creds and LLM keys live in their own encrypted vault. A tenant with no creds fails closed — it never borrows another tenant's account or keys.
  • Every query is tenant-scoped. A regular user cannot reach another tenant's account, positions, money, or secrets.
  • Owner-only admin. The first user (tenant 1) is the super-admin; the cross-tenant tools (Users, platform training) are reachable only by that tenant. Per-tenant tools (Bias audit, Secrets backup) are available to any admin, scoped to their own data.
  • Web-security hardening. CSRF tokens on every state-changing request, SSRF guards on all outbound LLM/broker URLs, session cookies with SameSite=Lax and a 12-hour lifetime, login brute-force protection, a read-only viewer role, and open-redirect guards.

Transport. The site is served over HTTPS (https://sirtradesalot.com). Sign in only over the HTTPS URL.