06 · Risk Kernel
Every model intent and every direct human command crosses the same deterministic kernel. The model cannot alter rules, provide credentials, move deadlines or call the signer directly.
One path to every exchange write
Read-only exchange queries do not require a trading verdict; any write, including cancel/close/flatten, requires an authenticated typed request and the policy appropriate to its risk-reducing semantics.
Enforcement and tests are part of every rule
| Rule | Required behavior | Enforcement | Required tests |
|---|---|---|---|
| Allowed assets | Reject instruments absent from network/environment allowlist and current metadata | Risk kernel before signing | Unknown, delisted, wrong-network and stale-metadata cases |
| Maximum leverage | Reject or clamp above environment/instrument cap; agent cannot change policy | Risk kernel plus exchange-account configuration check | Boundary, asset cap and malicious update-leverage cases |
| Maximum notional | Compute projected gross/net exposure including open orders | Risk kernel from reconciled portfolio | Pending-order, fill-race and decimal boundary cases |
| Per-position limit | Clamp or reject projected instrument exposure | Risk kernel | Long/short/increase/reduce and crossed-zero cases |
| Portfolio limit | Reject aggregate exposure or concentration breach | Risk kernel | Correlated positions, multiple HIP-3 DEXs, open orders |
| Price protection | Reject price outside fresh reference band or invalid tick/lot precision | Risk kernel plus adapter normalization | Stale reference, extreme price, tick rounding |
| Slippage protection | Bound IOC/marketable limit price against approved reference | Flatten/order planner and risk kernel | Gap, empty book, fallback reference |
| Order cadence | Rate-limit risk-increasing decisions and batch safely | Session/match sequencer before risk | Burst, concurrent subagent and retry cases |
| Duplicate intent | Return recorded verdict/result for stable idempotency key | Intent and execution repositories | Concurrent duplicates and unknown result reconciliation |
| Deadline | Reject risk increase at/after persisted lock timestamp | Match DO guard and risk kernel | Clock skew, delayed alarm, race at exact millisecond |
| Reduce only | Close/flatten plans cannot increase or reverse exposure | Planner, risk kernel, exchange flag | Partial fill, zero/crossed position, stale size |
| Match state | Only Live allows configured risk; Locked onward permits cancel/reduce only | Match revision guard and risk kernel | Every state/action matrix and stale revision |
| Emergency pause | Disable new signing except authenticated cancel/reduce recovery | Global/account/match kill-switch checked at execution | Activation race, scope and recovery authorization |
| Exit All | Cancel opens, snapshot positions, submit bounded reduce-only actions, verify zero/open-order terminal state | Deterministic flatten coordinator | Partial fills, cancel failures, outage and repeated invocation |
| Post-action reconciliation | Do not trust submission response as final state | Execution coordinator/reconciler | Unknown response, missed fill and out-of-order stream |
| Failure escalation | Move to paused/recovery/manual-review based on explicit thresholds | Orchestrator and Match DO | Repeated signing/exchange/flatten/settlement failures |
Accept, clamp or reject—with stable reasons
The pure evaluator consumes a versioned policy, fresh market frame, reconciled portfolio, match/session state and TradeIntent. It emits a RiskVerdict with policy version, reason codes and—only for accept/clamp—an exact approved order. The signer verifies the verdict/request binding; it never accepts a caller-supplied “approved” flag.
Pause contains; Exit All verifies
- Activate a global/account/match pause checked at the execution boundary.
- Cancel open orders with stable idempotency keys.
- Fetch fresh positions and plan reduce-only actions against current sizes.
- Submit bounded marketable limits/IOC according to slippage policy.
- Reconcile orders and positions until zero/no-open-order is verified or enter
flatten_failedwith operator escalation.
Table-driven plus property-oriented
Test decimal boundaries, projected exposure with open orders, concurrent duplicates, exact deadline races, stale revisions, partial fills, crossed-zero positions and human/model parity. Property tests assert that reduce-only plans never increase absolute exposure, rejected intents never reach signing and repeating an idempotency key never creates another exchange request.