1. The two-machine split
believe runs on two kinds of hosts. The broker tier is a Windows VM on Azure whose only job is to talk to IB Gateway, run Sierra Chart, and execute trades on CME. The research tier is a Linux cluster that ingests ticks and the MBP-10 book, trains and retrains every head of the ensemble, runs the backtester, and hosts the monitoring stack. The research tier never places an order; the broker tier never writes to the training store.
Broker Tier (Azure Win VM)
- IB GatewayreqMktData, reqMktDepth, placeOrder
- Sierra ChartT29 DLL tick capture
- Python execution bridgeclientId=251, dom_ib.jsonl writer
Signed Data Path
- Trade journal uploadfills.jsonl, orders.jsonl
- Tick + DOM capture uploadrsync over WireGuard
- Model card downloadbelieve-v<N>.tar.gz + hash
Research Tier (Linux)
- Training storeParquet shards, content-addressed
- Backtesterdeterministic replay on captured ticks
- Retrain + model card builderF2_dom, XGB 5m, Tick ML
- Monitoringfeature drift, fill-rate, parity
2. Broker tier
The Windows VM is sized for reliability, not speed. It runs Sierra Chart and IB Gateway
side by side, each with its own tick capture. The Python execution bridge is the only
piece of our own code that ever sends an order. It subscribes to the IB client with a
pinned clientId=251 and writes the full depth stream directly
to dom_ib.jsonl.
- Sierra Chart is the tick-capture primary: T29 DLL writes to disk synchronously, so restarting Sierra does not lose ticks silently.
- IB Gateway is the execution surface. Orders are placed as marketable limits, bracketed at submission time. We do not rely on client-side exits to close a position.
- The bridge is a Python process supervised by NSSM. A crash spawns a fresh one, and the watchdog alarms on the Gmail channel if the supervisor cannot restart it.
3. Research tier
The Linux cluster carries the weight. It holds the tick store, the MBP-10 store, the training code, the backtester, and the monitoring dashboard. It is the only tier that knows how to produce a new model.
- Training store. Parquet shards keyed by
{instrument}/{feed}/{date}/{shard}.parquet. Content-addressed; every hash referenced in a model card points to a byte-for-byte reproducible shard. - Backtester. Deterministic replay over the live tick capture. Same feature code path as live, same order-fill logic, same commission schedule. A single seed, a single set of outputs.
- Retrain pipeline. One job per head: F2_dom weekly, XGB 5m monthly, Tick ML monthly, each with purged walk-forward and embargo. Output is a model card plus a signed tarball.
- Monitoring. Feature-drift alarms, bracket fill-rate tracking, and the backtest-vs-live parity job.
3b. Session mask (v133)
Previous versions ran the full 24-hour CME clock. v133 trades only the two sessions whose contribution to the 79-day backtest (Jan 29 – Apr 17 2026) was net positive:
| Session | Window (ET) | BT Hit Rate | BT Net (BT $) | v133 Mask |
|---|---|---|---|---|
| RTH | 09:30–16:00 | 75.9% | +130,398 | Enabled |
| ETH_EUROPE | 02:00–08:30 | 73.7% | +7,815 | Enabled |
| ETH_PRE | 08:30–09:30 | – | −2,399 | Disabled |
| ETH_POST | 16:00–18:00 | – | −1,887 | Disabled |
| ETH_ASIA | 18:00–02:00 | – | −10,175 | Disabled |
Three sessions removed on evidence, not taste. The session mask is a config-only change — no retrain is required to toggle it — which means it can be re-enabled per session if forward data changes the picture. See Methods §9 for the rationale and Performance §3 for the aggregate effect in combination with the adaptive regime gate.
3c. DOM pipeline reliability fix
An audit of the bridge’s DOM write path in April uncovered a silent-swallow bug:
a broad try/except around the MBP-10 subscription was discarding
errors without logging them, so failures of the live book feed could continue for minutes
before surfacing as downstream gaps. The fix (commit 41a4b67)
narrows the exception scope and forces a visible error on the bridge’s stderr stream
plus an alarm on the Gmail channel. No more phantom-silent fails: if the
live book is degraded, we know within seconds.
4. Dashboard and logging
The public dashboard lives at log.bhf.capital — a Cloudflare Worker backed by Workers KV. It shows live state (bridge up, last tick, last fill, current session regime) and historical context. All of the dashboard’s inputs come from the signed data path; the Worker has no route to the broker and no credentials to trade.
Click telemetry from this site is posted to the same Worker (log.bhf.capital/click),
stored in KV, and reviewed during monthly marketing hygiene.
5. Watchdogs and alarms
- Tick heartbeat. If no tick has been seen for a configurable window during a known-open session, the watchdog pages via Gmail.
- CME maintenance-aware. The daily 17:00-18:00 ET window is masked. A clean shutdown of Sierra during maintenance is not an incident.
- Bridge supervisor. NSSM restarts the bridge on crash; an unrecoverable crash (three consecutive restart failures) escalates to email.
- Walk-forward drift. If the most-recent fold AUC on any head falls more than 2σ below its 30-day rolling mean, the retrain pipeline holds the next deploy and opens a review.
6. Ship path for a new model
The end-to-end deploy of a new head is mechanical:
- Retrain pipeline builds model + model card on research tier.
- Purged walk-forward metrics are inspected against the prior release; regression triggers a hold.
- Signed tarball is pushed across the data path.
- Broker tier unpacks and verifies the hash; mismatch refuses the load.
- Bridge hot-swaps the head at the next RTH open, logs the swap, and continues.
No ad hoc “let me scp this model quickly” paths exist. The ship path is the only path.
7. Stack summary
| Tier | Host | Key components |
|---|---|---|
| Broker | Azure Windows VM | Sierra Chart, IB Gateway, Python bridge (NSSM) |
| Research | Linux cluster (claw) | Parquet store, backtester, retrain pipeline, monitoring |
| Public | Cloudflare Pages + Worker | bhf.capital, log.bhf.capital, trade.bhf.capital |