Architecture
Trust Architecture
How SPA is structured, who controls what, and how your capital is handled.
SPA operates as a paper trading system through go-live. This page documents the control architecture, data flows, and operational safeguards that govern how the system works. Transparency is the product.
Custody Model
Paper trading phase: no real capital involved. Virtual $100,000 USDC portfolio.
Live phase (planned): self-custodial model. Users retain control of assets via Gnosis Safe multisig. SPA operates as an authorised keeper with limited execution rights.
SPA does not hold user funds in a centralised custodian.
Keeper permissions: rebalance within approved whitelist only. Cannot withdraw to external addresses.
The 9 Key Questions
Every question an allocator should ask before trusting a system with capital.
Q1
Who can change the strategy?
Strategy parameters are defined in RiskPolicy v1.0. Changes require a documented ADR (Architecture Decision Record), version bump, and re-run of GoLiveChecker. No undocumented changes.
Q2
Who can change RiskPolicy?
RiskPolicy changes require explicit versioning. Currently v1.0. Any change produces a new version with documented rationale. Changelog is public in repository.
Q3
Who can pause deposits?
Kill switch can be triggered by: (1) automated drawdown gate (−5% monthly), (2) manual trigger by operator. Both paths are logged. Kill switch moves portfolio to cash buffer.
Q4
Who can close positions?
In paper trading: automated rebalancer only, within RiskPolicy gates. In live phase: keeper (automated) within approved permissions + multisig emergency override.
Q5
Who can upgrade contracts?
Live phase: multisig required for any contract upgrade. Timelock TBD before go-live. Paper trading phase: no live contracts deployed.
Q6
Can a human override a risk gate?
No. In paper trading phase, blocked rebalances are logged but not executed. The gate result is final. Manual override capability is explicitly excluded from keeper permissions.
Q7
Is there a multisig, and who are the signers?
Gnosis Safe multisig planned for live phase. Signer composition and threshold TBD before go-live. Will be published in this document before August 1, 2026.
Q8
Where can I see all logs?
Dashboard → Trades tab (all rebalance events), Dashboard → Risk Blocks tab (all blocked rebalances), GitHub repository (JSON logs, ADRs, RiskPolicy versions).
Q9
What happens during an incident?
1. Kill switch activates if drawdown gate fires.
2. Operator notified via monitoring alerts.
3. Portfolio moves to cash buffer.
4. Incident documented and published.
5. No resumption until root cause identified.
Identity Verification
No identity verification required to view strategies or dashboard.
Verification is required before making a deposit.
For the private MVP phase, verification is conducted manually during onboarding.
Incident Communication
In the private MVP phase, incident communication is handled directly via Telegram and email. Response owner: Yurii. Public status page and formal SLA will be added before public launch.
Contract Transparency
We publish the list of approved DeFi protocols we work with. Operational wallet addresses and SPA-specific contract addresses will be published after security audit completion (planned Q3 2026).
Operational Model
Daily Cycle
Scan → Gate → Rebalance (automated)
LLM in Execution
None. Zero AI in the decision path.
Decision Logic
All decisions deterministic and logged
Paper Trading
No real transactions — all operations simulated
Live Monitors
Contact
For due diligence inquiries: yuriycooleshov@gmail.com