Tranche Pass
Real markets. Real rules. No excuses.
A fully automated prop trading challenge platform built solo. A user can purchase a plan, trade paper capital through Phase 1 and Phase 2, get evaluated against a live prop-firm ruleset, and receive a funded account — every transition (fail, advance, breach, fund) runs autonomously against real Polygon.io market prices. Zero human review in the loop.
Security is layered: service-role-only write paths, RLS across all tables, and a dedicated DB trigger layer that rejects client writes to accounts and trades regardless of session — making evaluation outcomes tamper-proof at the database level.
- 01.Migration 004 — fail-closed DB trigger layer: Postgres triggers fire before RLS and block all direct INSERT/UPDATE/DELETE on accounts and trades from any non-service-role session. No client-side exploit can manufacture a passing account. This pattern requires understanding that triggers precede RLS evaluation and is rare in Next.js/Supabase stacks.
- 02.Proprietary rules engine with cascading state machine (lib/trading-engine/rules.ts) — max drawdown → breach + liquidate; daily drawdown → breach; profit target + minimum days → phase advance (phase_1 → phase_2 → funded); max days exceeded → fail; funded +10% → scale-up; 80% drawdown proximity → rate-limited warning. Each transition mutates account state atomically server-side via service role.
- 03.Three-asset-class Polygon.io price routing — symbol-type-aware dispatch across forex pairs (C:), NYMEX commodities, and equity last trade endpoints, each with a distinct fallback chain. Synthetic candle generation when the aggregates API returns empty during market hours gaps. Polygon WebSocket (wss://socket.polygon.io/forex) for live tick stream powering open P&L updates and automatic SL/TP execution.
- 04.Slippage simulation (0.01–0.03% randomized) and 2% max risk enforcement per trade, combined with a live Finnhub economic calendar call on every order submit — new orders rejected within 30 minutes of any high-impact macro event, mirroring a real prop firm constraint rarely replicated in simulated environments.
- 05.Three-feature AI fabric (all Claude Sonnet, structured JSON in/out): cadence-triggered Challenge Coach (fires on 5th close, every 10th thereafter — packages P&L%, drawdown%, win rate, phase; dispatches typed dd_warning or stays silent); per-trade Autopsy (3-observation breakdown by category and sentiment, surfaces in journal); admin Anomaly Detection (risk score 1–10, flags[], clean/review/suspicious verdict for compliance triage).
- 06.is_admin() SECURITY DEFINER function breaks RLS recursion — policies reference this function rather than querying public.users.role directly, preventing the recursive deadlock that would otherwise occur when evaluating policies on the users table. Dual-auth EOD reset cron accepts CRON_SECRET Bearer token or active admin session without duplicating logic. Full security header suite: CSP, HSTS with includeSubDomains, X-Frame-Options: DENY, COOP/CORP, Permissions-Policy, ensureTrustedOrigin CSRF guard on all mutating routes.
Real-time visibility across every active account. Platform-wide metrics — breach rate, pass rate, pending payouts, and email delivery — sit alongside a live activity feed and a per-trader status table, so the full state of the platform is always one view away.
Rule breaches are caught, logged, and actioned the moment they happen. AI Anomaly Detection scores each account for suspicious patterns and surfaces a verdict; the violations table records every breach with the exact rule triggered and the enforcement action taken automatically — no manual triage required.