ADR 0010 — v1 per-user compute: shared Raptor process, per-request OAuth scope
Status: Superseded by ADR 0013 (2026-04-22)
Original date: 2026-04-22
Deciders: product owner (user), software-architect
Related: ADR 0008 (OAuth integration mode), ADR 0009 (token posture), ADR 0011 (premium-tier compute), docs/architecture/multi-tenant-alpaca.md §5
Parent epic: #183
Supersede note (2026-04-22): ADR 0010 decided the v1 runtime posture assuming every user's trades routed through Alpaca OAuth. Under the MBT reframe (ADR 0013), the primary runtime question is not "how do we scope an Alpaca token per request" but "how does MBT's order matcher serve many users in one shared process." The answer remains shared single-process Raptor with per-user scoping — but the scoping attribute is now
{user_id, account_id}against MBT's own tables, not an Alpaca OAuth connection. ADR 0013 restates the posture for MBT. Content preserved for historical traceability.
Context (original)
Multi-tenant Raxx needed to decide how per-user work is executed server-side. Options span a spectrum from shared single-process through microVM-per-user. Original ADR decided:
Decision (original — now superseded)
v1 runs a shared single-process Raptor backend. Per-user isolation is by OAuth scope + authz + request tracing, not by compute boundary.
Execution model:
- One Flask process serves all users.
- Each request resolves to
user_idvia the session table. - For any Alpaca-touching operation, middleware fetched the user's
alpaca_connectionsrow, decrypted the token via KMS, and constructed a per-request Alpaca client. - Rate limiting per-user, per-endpoint; step-up WebAuthn on live actions.
Why superseded
Under MBT:
- The "per-request Alpaca-client construction" path now applies only to the narrow live-broker-handoff subset.
- The primary per-user operation is against MBT's tables (accounts, positions, orders, fills). Isolation is by row-level authz (
user_idforeign key + session-attached user) against the same Flask process. - Rate limiting moves from "Alpaca per-account budget" to "per-tier user budget" (Free 60/min / Pro 600/min / Pro+ 3000/min per
docs/marketing/pricing.md). Seedocs/architecture/session-engine.md§6. - Step-up WebAuthn posture unchanged (and now covers MBT's
env=livesubmit-to-broker action as well as credential changes).
The shared-process choice remains correct; the scoping attribute shifts. ADR 0013 restates the current posture.
Compliance checklist
Carried over to ADR 0013.
Revisit when
N/A — superseded. Amendments go on ADR 0013.