← Back to Projects

SH Strategy Trader

A self-hosted, single-user trading bot that automates an inverse-ETF hedge against the S&P 500 — built around operational rigor and a fund-isolation guarantee.

Next.js 14TypeScriptPostgresPrismaAlpaca APICloudflare AccessVercel Cron
SH Strategy Trader

About This Project

When SPY closes below its 200-day moving average for two consecutive days, the bot buys SH (an inverse ETF that rises when SPY falls) sized at 6% of equity. Five overlapping exit conditions — stop loss, market recovery, time stop, profit target with trailing stop, and breakeven trail — manage the position automatically, all tunable from the UI.

Trading logic sits behind a pluggable Strategy interface, so new strategies register without touching the evaluator. A dual Vercel Cron job (21:30 and 22:30 UTC) reconciles with Alpaca as the source of truth, runs the enter/exit logic, executes inside market hours (or queues for the next run), logs an audit row, and dispatches alerts. The dual-cron design provides data-aware idempotency — handling Polygon's variable EOD publish lag and DST transitions cleanly.

Risk management is the design center. Cloudflare Access (Google SSO, single-email allow-list) sits on top of an in-app bcrypt password gate, AES-256-GCM-encrypted Alpaca keys, and a Bearer-only cron route. Even with a full app + API key compromise, an attacker cannot move money out — the trading API exposes no withdrawal endpoints. Paper trading is the default; flipping to live requires two independent gates plus passing an explicit readiness ladder.

Key Features

  • Pluggable strategy interface — new strategies register via a registry without touching the evaluator or routes.
  • Dual-cron evaluation pipeline — two Vercel Cron runs handle Polygon's EOD publish lag; exactly one executes per trading day, with explicit skip reasons for observability.
  • Defense-in-depth security — Cloudflare Zero Trust, rate-limited bcrypt password gate, AES-256-GCM-encrypted credentials at rest, Bearer-only cron auth boundary.
  • Fund-isolation guarantee — even with full compromise, attackers cannot move money out; the trading API exposes no withdrawal endpoints.
  • Paper-trading default with a two-gate live flip — settings toggle AND env-var change required. Mechanical, unit-tested exit conditions with explicit precedence.
  • Live-trading readiness ladder — explicit tiers gate the paper-to-live flip: 30 clean trading days, then 3 months across an infra change, then 6 months across a real SPY-below-SMA200 regime.

Project Links

Self-hosted · Personal use

Single-user app behind Cloudflare Zero Trust — not publicly accessible