Prediction is not the hard problem.
Authority is.
One governance core, three live trading systems, three machines — proprietary capital, human-armed, designed, built, and operated end to end by a single architect.
Its own capital only — no external money, ever. Not an investment product, fund, or advisory service.
Most systems ask: how do we make the model smarter?
This one asks: how do we make the model incapable of causing damage?
Intelligence proposes. It is never allowed to act.
Most automated systems are built to be right — more data, more parameters, a sharper edge. But in anything that touches real money, prediction is the easy part. Models are wrong constantly: regimes shift, data lies, an edge decays the week after you find it. Being right more often is a marginal game with a ceiling.
The hard problem is authority — what a system is permitted to do when the model is wrong, which is often, and confidently wrong, which is worse. A model that can act on its conclusions is a model that can act on its mistakes: at machine speed, against live capital, while no one is watching.
So Neurobrick inverts the usual question. Not how do we make the model smarter, but how do we make it incapable of causing damage. Intelligence proposes; it is never allowed to act. Every proposal — to buy, to sell, to do nothing — is checked against explicit invariants and veto rules before anything reaches a broker. The default is to do nothing. Only a human can arm live capital. No model, however confident, can place an order.
This is not a safety feature bolted onto a strategy. It is the system. The prediction layer is replaceable; the governance layer is the point. Most of the engineering goes not into being right, but into surviving being wrong — because over a long enough run, the second is what keeps the capital.
Being right is an input. It is never a permission.
Where the architecture came from
The architecture did not come from a theory of how the system should work. It came from watching what actually broke — and the model was rarely the problem. A box went dark and raised nothing. A hash chain forked on a clock tie. An order nearly filled twice. A risk limit sat defined but never read. Each was the system doing something it was never supposed to be able to do. Everything that follows is the accumulated answer to one question: what must never be possible?
One core. Three live systems.
Three independent trading systems run on three separate machines — and one authority layer governs all of them. Its job is not to run them; it is to stop them. They share a single governance core and a single audit chain; each is separately armed, and none can act on its own.
Intelligence is advisory in all three; none of them can act on its own.
What it makes impossible
Each property is stated as an outcome first, then why it matters, then how it works. None of the techniques is novel; handling all of them on a live money path, by one person, is the rare part.
Real money is never double-filled
The network drops the acknowledgement, not the order — so a timeout is ambiguous, and the reflexive retry is how you fill twice.
An ambiguous submission is quarantined as maybe-sent and never automatically retried; it is resolved by reconciling against the broker's own record, behind a transactional outbox with idempotency keys.
Implemented independently in two of the three live systems. A failed outbox health check blocks arming more capital.
The decision log cannot be quietly rewritten — and it caught itself forking
An audit trail you can edit is not evidence; a log ordered by wall-clock corrupts under sub-millisecond ties.
Every proposal, accepted or vetoed, is SHA-256 hash-chained per entity. The verifier caught a real fork — two entries written close enough to tie on the same millisecond could not be ordered by the clock; ordering moved to insert sequence, not time, and concurrent appends are serialized behind an advisory lock.
Tamper-evident, not tamper-proof. A rejected order leaves the same audit-grade trace as an executed one.
Risk controls fail safe — including when the control itself fails
The dangerous failure is the safety device that fails open because reading its own state threw.
A ladder of 30+ pre-trade checks, each explicitly fail-open or fail-closed. The kill switch returns engaged even if probing its flag file raises. De-risk exits are exempted from entry gates, so a stop-loss can never deadlock behind the machinery meant to block new risk.
No single layer is trusted to be sufficient.
Overfit research cannot reach live capital
A backtest is a hypothesis, and a hypothesis tested enough times will pass by luck alone.
A new signal carries zero weight until it clears out-of-sample validation that corrects for the number of trials — Combinatorial Purged Cross-Validation plus a Deflated Sharpe. A stricter method ships behind a flag, the old one kept byte-for-byte as default, both verdicts compared in a ledger before the new one may gate a live decision.
The discipline, not the math, is the rare part.
The model was almost never what broke.
Lessons, stated the way they were learned
Surprises from operating a governed capital system. Each one changed the architecture. None is a slogan; each is a thing that was, at some point, wrong.
A monitor that lives on the box it watches is not a monitor.
A machine went dark for over eight hours and raised nothing, because every alarm it could send died with it. The watchdogs now run off-box and inline — they survive deletion of their own directory — and the machines watch each other. The realization generalizes past trading: a health check co-located with the thing it checks is decoration.
A limit you define but never enforce is worse than no limit.
On the equities system, a per-name concentration cap lived as a constant for months and was never read, while a single name sat at more than half the book. The dead limit was more dangerous than its absence — it manufactured confidence without enforcement. It now fails closed, but only after a retry: the broker read it depends on, get_holdings, flaked about 3,180 times over thirty days — roughly 106 a day, a measured baseline rather than an estimate. A naive fail-closed on a read that unreliable blocks more good orders than bad ones, so the gate retries first and only then fails closed.
Attribution bugs disguise themselves as alpha and as risk.
A batch of orders shipped without a strategy label, got bucketed under a default name, and the per-strategy circuit breaker auto-paused that strategy at a deeply negative Sharpe — reacting to a labeling artifact, not a loss. The risk system fired correctly on data that was wrong. The fix lived upstream, at construction time; the breaker was never the problem.
The exchange's real rules are learned from rejections, not from docs.
The tick-size table matched KRX's published schedule and orders were still rejected: certain ETFs use a flat tick regardless of price, and orders priced in the 1,000–2,000 KRW band came back rejected for the wrong tick unit. Snapping now reads the live order book to infer the actual increment per instrument and treats the documented table as a fallback only. The spec was a hypothesis; the rejection codes were the data.
A specification is not an enforcement.
There is an elaborate, typed, versioned contract layer that formally specifies every constraint in the system. The live money path does not import it. The enforcement that actually matters turned out to live in a smaller, less elegant service. It is easy to mistake the comfort of a formal spec for the safety of a running guard — and worth re-checking, periodically, which one is in the path.
Latency between a signal and its fill is an adverse-selection tax.
Cash settles about twenty seconds after an order is blocked for insufficient cash; by the time it arrived and the order filled, the signal that justified it was stale — a fill that lost because it was late, not because it was wrong. That settlement latency is a fixed adverse-selection window, so there is now a signal-freshness veto at the gate that refuses a fill whose signal has aged past it.
Safety state in the wrong place fails open.
In the control plane, the submit-time kill-switch chain once disarmed silently — fail-open, no alert — because the only copy of its armed state lived in a directory that was git-ignored, and a clean checkout wiped it. Armed state now persists off the worktree, sealed, with an explicit authority order, so a fresh deploy can never quietly leave the system unguarded.
Operated, not demoed
A system that has survived its own production incidents — and is changed, while live, without breaking. Not a prototype that has only seen the happy path.
The codebase records its own production incidents and their fixes — a stop that froze and let a position run, a state oscillation between two writers, the clock-tie fork. Each is a place the happy path was not enough. The risk had migrated out of the math and into the operations.
Behavior-invariant refactors
The order executor was reduced from 6,304 to 4,070 lines by extracting 34 pre-trade gates into a mixin via byte-identical, AST-verified extraction with method-resolution order preserved — staged across reviewed changes. The shape of the code changed; provably, its behavior did not.
Observe-first deployment
Behavior changes ship behind a flag with the old path kept byte-for-byte as default, both verdicts compared in a ledger before the new path may decide anything. Schema or contract drift fails the build; deploys gate on a green main.
Event-sourced replay
Every cycle is replayable from the captured log, fills and clocks included. Backups are layered, with a daily client-side-encrypted off-site tier for site loss.
Governance is the system. Execution is incidental.
Every action passes through layers that exist only to deny it — ingestion, advisory, constraint, execution, audit — and must clear all of them before anything reaches a broker.
Underneath the layers is one reconciled portfolio state, read through a single interface; every decision references an immutable, event-sourced snapshot — which is what makes replay and audit possible.
The system's most common output is inaction.
Where this is not bulletproof
The failure boundaries, stated plainly. This section is longer than most pages would allow, on purpose.
Single-operator bus factor
One person designed, operates, and is on call for all of it. That is the reason the system is coherent — and the reason its largest risk is one person.
Not highly available
The fabric is three machines, a homelab — not a multi-region deployment. It tolerates a box going dark; it does not tolerate the site going dark without a restore, and that restore has not been drilled here as a claim.
Some hot paths fail open by choice
On non-critical async gates, availability is chosen over safety deliberately. Fail-closed is the default only where being wrong costs capital.
The formal contract layer is not in the money path
A beautiful spec the hot path does not call is decoration. The enforcement lives elsewhere; the gap is named, not hidden.
The governance “constitution” is not alignment
It is bypassable pattern-matching, not learned alignment. No claim of AI safety beyond architecture is made or implied.
Integrated, not authored
The self-hosted inference engine (exo) is open-source upstream — operated and integrated here, not written here.
God-files remain
The largest modules are still several thousand lines, partially decomposed. The work is ongoing, and stated as ongoing.
One person
One architect designed the governance core, built the event-sourced runtime, did the research, stood up the infrastructure, and is the person paged when a box goes dark at 3 a.m. Not a team that divided the work — one person who held all of it at once, against live capital, for long enough to learn where systems actually break.
This is stated as a fact, not a credential, because it cuts both ways. It is why the system is coherent: every layer was designed by the same person who has to operate it. It is also why its single largest risk is a bus factor of one. Both are true; the page would be dishonest to print only the first.
Most automated systems are built around prediction.
Neurobrick is built around refusal.
Open to a few conversations
Not raising capital, and not managing money for others. Open to conversations with engineers, quants, and researchers who have built systems that fail in interesting ways.
Neurobrick is a personal systems-engineering project that operates proprietary capital only. It is not an investment product, fund offering, or advisory service; it does not accept external capital; and it does not sell signals or manage money for others.
Architecture and methods on this page are described at a conceptual level by intent. The distributed inference engine (exo) is open-source; it is operated and integrated here, not authored.