ADR Index
Canonical numbered list of all Architecture Decision Records, in numerical order. Each ADR number is unique. Where a number appears more than once below it reflects a known pre-existing collision tracked separately (0103, 0105); the 0004/0017/0018/0020/ 0028/0029/0050/0051/0052/0076/0085/0088/0096 collisions were resolved in #3462 by renumbering the duplicate to 0116–0128.
| ADR | Decision | File |
|---|---|---|
| 0001 | WebAuthn / Passkeys as the Only Authentication Factor | 0001-webauthn-passkeys-only.md |
| 0002 | No Stored Credentials (Enforcement) | 0002-no-stored-credentials.md |
| 0003 | GDPR by Default | 0003-gdpr-by-default.md |
| 0004 | raxx-console Stack: Flask + Jinja2 + HTMX + Tailwind CDN | 0004-console-stack-choice.md |
| 0005 | iOS WebAuthn: Reuse raxx.app as the RP ID (scope: web + iOS only) |
0005-ios-webauthn-rp-id.md |
| 0006 | iOS Offline Posture: Read-Only Cached State | 0006-ios-offline-read-only.md |
| 0007 | iOS subscription billing: Apple In-App Purchase | 0007-ios-subscription-billing-iap.md |
| 0008 | Alpaca integration mode: OAuth 2.0 (user-delegated) for v1 | 0008-alpaca-oauth-integration-mode.md |
| 0009 | OAuth access token at rest: documented invariant exception | 0009-oauth-token-posture.md |
| 0010 | v1 per-user compute: shared Raptor process, per-request OAuth scope | 0010-v1-shared-per-request-runtime.md |
| 0011 | Premium "fully-hosted workflow" tier: Fargate + Firecracker microVM candidate | 0011-premium-tier-compute-platform.md |
| 0012 | Console WebAuthn: Separate RP ID (console.raxx.app) |
0012-console-separate-webauthn-rp-id.md |
| 0013 | MBT: Raxx-native paper-trading engine, displacing per-user Alpaca OAuth for paper | 0013-mbt-paper-trading-engine.md |
| 0014 | Alpaca scope: server-side market-data account + Pro+ live-broker handoff only | 0014-alpaca-scope-reframe.md |
| 0015 | MBT defaults are profile-driven, not fixed config knobs | 0015-mbt-investor-profile-model.md |
| 0016 | Founders Trial: Celery beat for daily sweep, not APScheduler | 0016-founders-trial-celery-scheduler.md |
| 0017 | E2E Encryption with Opt-In Shadow Analytics: Architecture Posture | 0017-e2e-with-shadow-analytics-posture.md |
| 0018 | Founders Referral: cookie-primary attribution with URL-param fallback | 0018-referral-attribution-cookie.md |
| 0019 | Founders Grace: business-day calendar library choice | 0019-business-day-calendar.md |
| 0020 | Branch promotion model: tag + environment approval gate | 0020-branch-promotion-soak-gate.md |
| 0021 | Trace Storage: Timescale vs Plain Postgres vs ClickHouse vs Others | 0021-trace-storage-timescale-vs-postgres.md |
| 0022 | Event Log: Append-Only + Hash Chain for Tamper Evidence | 0022-event-log-append-only-hash-chain.md |
| 0023 | Render ID Granularity: Per-View vs Per-Component vs Per-Field | 0023-render-id-granularity.md |
| 0024 | Env Switcher: Session-resident selected_env vs DB column |
0024-env-switcher-state-storage.md |
| 0025 | Env Switcher: RBAC gate on switching vs gate on mutation | 0025-env-switcher-rbac-gate.md |
| 0026 | Feature Flag Persistence: DB table vs external store vs env-var-only | 0026-feature-flag-persistence.md |
| 0027 | Feature Flag Env Scoping: per-env rows vs single row with override | 0027-feature-flag-env-scoping.md |
| 0028 | Intentional friction on prod deploys: manual gate over full automation | 0028-prod-deploy-intentional-friction.md |
| 0029 | Console staging retirement: why console retires staging while API keeps it | 0029-console-staging-retirement-rationale.md |
| 0030 | Status Page State Machine: canonical states, transitions, and actors | 0030-status-state-machine.md |
| 0031 | Platform Auth Posture: Defense-in-Depth Across Surface Classes | 0031-platform-auth-posture.md |
| 0032 | Customer account recovery: A+B only (multi-passkey + backup codes; no email recovery; no agent re-enrollment) | 0032-customer-account-recovery-a-plus-b-only.md |
| 0033 | CI runner posture: transient-failure retry + Ubicloud migration trigger | 0033-self-hosted-ci-runners.md |
| 0034 | Console-driven deploy flow with GitHub Actions status callbacks | 0034-console-driven-deploy-flow.md |
| 0035 | Staging-to-prod flag promotion: explicit promotion queue over ambient drift | 0035-flag-promotion-staging-to-prod.md |
| 0036 | Async Run-ID Resolution for Console Deploy Dispatch | 0036-deploy-async-run-id-resolution.md |
| 0037 | Velvet — Service-Bus Subscription Model | 0037-velvet-service-bus-subscription-model.md |
| 0038 | Velvet — Three-Stage Operational Rotation Flow | 0038-velvet-three-stage-operational-flow.md |
| 0039 | Velvet — 401 Unauthorized as the Revocation Success Criterion | 0039-velvet-revocation-401-criterion.md |
| 0040 | Velvet — Static Manifest for Consumer Registration (No Runtime API) | 0040-velvet-consumer-registration-static-manifest.md |
| 0041 | Velvet consumer registration: runtime API + manifest bootstrap (supersedes ADR-0040) | 0041-velvet-runtime-registration-supersedes-0040.md |
| 0042 | Auth Unification: Hybrid Identity Model | 0042-auth-unification-hybrid-model.md |
| 0043 | Auth Unification: RBAC Reconciliation | 0043-auth-rbac-reconciliation.md |
| 0044 | Console Self-Deploy Web Layer: Option Selection + Topology | 0044-console-self-deploy-web-layer.md |
| 0045 | Support Portal Topology: CF Pages + Raptor Proxy (Option A) | 0045-support-portal-topology.md |
| 0046 | Support Portal: FreeScout API Token in Infisical (not SSM) | 0046-support-portal-secret-store.md |
| 0047 | Track B: CORS origin allowlist for raxx.app on raxx-api-prod | 0047-track-b-cors-origin-allowlist.md |
| 0048 | Track B: Align deploy-antlers.yml tag trigger with release-please tag format | 0048-track-b-tag-trigger-alignment.md |
| 0049 | Track B: v1.0 Alpaca credential shape — single operator set, paper only | 0049-track-b-v1-alpaca-cred-shape.md |
| 0050 | Fidelity API surface: target WIX (Wealthscape Integration Xchange), fallback FDX read-only | 0050-fidelity-api-surface-choice.md |
| 0051 | Drift prevention: layered structural controls | 0051-drift-prevention-layered-controls.md |
| 0052 | Broker adapter interface: BrokerAdapter ABC with registry, not extending alpaca_integration.py |
0052-broker-adapter-interface.md |
| 0053 | New-surface deploy workflow template structure | 0053-new-surface-deploy-workflow-template.md |
| 0054 | Ticket-Scoped Role Grants — State in DB, Validated Per Request | 0054-rbac-ticket-scoped-grants.md |
| 0055 | RBAC Grant Mutations — Pre-Write Audit Pattern | 0055-rbac-pre-write-audit.md |
| 0056 | Permission Resolution — Session-Embedded Cache (Option A) | 0056-rbac-session-embedded-permission-cache.md |
| 0057 | Break-Glass Grant — Time-Limited, Justification-Required, Alert-First | 0057-rbac-break-glass-time-limit.md |
| 0058 | Unified Customer Audit: Single Table vs Federated Tables | 0058-unified-audit-single-table.md |
| 0059 | Shadow Tables: Postgres Triggers vs Application Dual-Write | 0059-shadow-table-triggers-vs-dual-write.md |
| 0060 | Unified Audit RBAC: Role-Gated Dimensions vs Feature-Flag-Gated Dimensions | 0060-unified-audit-rbac-matrix.md |
| 0061 | Ticket-State-Aware Notification: Two-Path Model for Dim-3 Operator Reads | 0061-ticket-state-aware-notification-two-path.md |
| 0062 | Deny-List + Per-Action Allowlist for State-Diff PII in Audit Rows | 0062-deny-list-plus-per-action-allowlist-state-diff-pii.md |
| 0063 | Scale Tier Latency Budget + Numeric Upgrade Triggers for Shadow-Table Writes | 0063-scale-tier-latency-budget-trigger-upgrade.md |
| 0064 | SOC-2 Retention SLA, Auditor Role, and Attestation Cadence | 0064-soc2-retention-sla-auditor-role-attestation.md |
| 0065 | Queue v1: Strangler-Fig over Greenfield | 0065-queue-strangler-fig-vs-greenfield.md |
| 0066 | Queue v1: Co-location as Flask Blueprint Mounted in Raptor | 0066-queue-colocation-blueprint-mount.md |
| 0067 | Queue: Signed JWT for Session Tokens (Offline Verification) | 0067-queue-jwt-offline-verification.md |
| 0068 | Queue: Fail-Closed on Outage (No Credential Cache in Raptor) | 0068-queue-fail-closed-on-outage.md |
| 0069 | psycopg2-binary as Raptor's Postgres driver | 0069-psycopg2-binary-over-psycopg3.md |
| 0070 | pytest-postgresql over testcontainers for Raptor test fixtures | 0070-pytest-postgresql-over-testcontainers.md |
| 0071 | Stripe Billing Tables — Queue as the Authoritative Store | 0071-stripe-billing-queue-as-authority.md |
| 0072 | SNS/SQS/SES Durable Email Delivery with DLQ at Both Layers | 0072-durable-email-sns-sqs-ses.md |
| 0073 | Stripe Billing v1 Implementation Home — Raptor Stopgap | 0073-stripe-v1-home-decision.md |
| 0074 | Email Delivery v1 — Hybrid Architecture (Postmark + SNS/SQS/Lambda) | 0074-email-delivery-hybrid-postmark-v1.md |
| 0075 | Billing Stays in Queue — Operator Override of ADR-0073 | 0075-billing-stays-in-queue-operator-override.md |
| 0076 | Queue Phase 1 + Billing v1 — Aggressive 12-Day Plan (Python) | 0076-queue-phase1-billing-v1-aggressive-12day.md |
| 0077 | Cloudflare WAF as Layer 1 of Raxx Layered Defense | 0077-cloudflare-waf-layered-defense.md |
| 0078 | Queue Cloudflare Edge Protection | 0078-queue-cf-edge-protection.md |
| 0079 | WCB Snapshot-Only Storage with Compute-on-Render Trajectory | 0079-wcb-snapshot-storage.md |
| 0080 | Support Portal: API Contract, JWT Shape, and Privacy Boundary Algorithm | 0080-support-portal-api-contract.md |
| 0081 | New-surface deploy/preview convention as Raxx standard | 0081-surface-convention.md |
| 0082 | Terraform deployment pipeline pattern (Option D: GH Actions + AWS OIDC) | 0082-terraform-pipeline-pattern.md |
| 0083 | Infisical Google OIDC SSO via Cloudflare Access | 0083-infisical-google-oidc-sso.md |
| 0084 | Burr v2: Multi-Region OIDC Gateway with R53 Latency Routing + Auth Down Failover | 0084-burr-v2-multi-region-oidc-gateway.md |
| 0085 | Flag Reconciler: Bidirectional Sync with Drift-as-Kill-Switch | 0085-flag-reconciler-bidirectional-sync.md |
| 0086 | vcpkg Lockfile Policy — Decline (Path B) | 0086-vcpkg-lockfile-policy.md |
| 0087 | CI Guard for vcpkg Manifest Changes | 0087-vcpkg-manifest-ci-guard.md |
| 0088 | Docs site tooling: custom Python builder for v1 | 0088-docs-site-tooling-choice.md |
| 0089 | Queue vcpkg.json Full Audit Against Pinned Baseline — 2026-05-14 UTC | 0089-queue-vcpkg-audit-2026-05-14.md |
| 0091 | Alerting Source Selection and On-Call Agent Runtime | 0091-alerting-source-and-oncall-agent.md |
| 0093 | Raptor SQLite → Postgres Migration (Path B, v1-blocking) | 0093-raptor-postgres-migration.md |
| 0094 | Founders Gate: Fail-Open Posture and Overshoot Tolerance | 0094-founders-gate-threshold-posture.md |
| 0095 | Deploy Modal Phase Progression — Option A (Fine-Grained Workflow Callbacks) | 0095-deploy-modal-phase-option-a.md |
| 0096 | Console Dashboard V2: Split-View Layout (Option B) | 0096-console-dashboard-v2-split-view.md |
| 0098 | Flag Operator UX Hardening + Pony-Style Internal Docs | 0098-flag-operator-ux-and-pony-docs.md |
| 0099 | raptor_app Least-Privilege Postgres Role (Option A) | 0099-raptor-app-least-privilege-role.md |
| 0100 | EU GDPR Article 27 Representative Posture | 0100-eu-art-27-rep-posture.md |
| 0101 | Nightly Scan-to-Issue Pipeline Rewrite | 0101-nightly-scan-to-issue-rewrite.md |
| 0102 | Founders Promo Scheduler: APScheduler (supersedes ADR-0016) | 0102-founders-promo-scheduler-apscheduler.md |
| 0103 | BCP Backup Posture: vault snapshots, TF state versioning, and restore drills | 0103-bcp-backup-posture.md |
| 0103 | Public docs content parity: what ships at v1 vs post-v1 | 0103-public-docs-content-parity-v1.md |
| 0104 | Customer-Facing Error Code Format | 0104-customer-error-code-format.md |
| 0105 | Addendum: Phase 0 Next.js Scaffold Spec | 0105-addendum-phase0-nextjs-scaffold.md |
| 0105 | Antlers frontend framework evaluation | 0105-antlers-rewrite-framework-eval.md |
| 0105 | @cloudflare/next-on-pages compatibility audit — 2026-05-27 |
0105-cf-pages-compat-audit-2026-05-27.md |
| 0106 | Antlers Next.js production cutover strategy | 0106-antlers-nextjs-cutover-strategy.md |
| 0107 | Strategy Library: user-defined rule grammar + enforcement posture | 0107-strategy-library.md |
| 0108 | MBT Engine Design: Raxx-native paper-trading simulator | 0108-mbt-engine-design.md |
| 0109 | BYOB Broker Tier Model and Post-Launch Roadmap | 0109-byob-roadmap.md |
| 0110 | MBT Phase 2: Intraday 1-Minute Bar Feed | 0110-mbt-intraday-bar-feed.md |
| 0111 | Burr v2 Migration: Self-Owned Multi-Region OIDC Gateway | 0111-burr-v2-migration.md |
| 0112 | Clarity install method: manual script vs NPM package | 0112-clarity-install-method-2026-06-04.md |
| 0113 | Account Merge Architecture | 0113-account-merge-architecture.md |
| 0114 | WCB Tier Gate and User Ownership via Queue JWT | 0114-wcb-queue-awareness.md |
| 0115 | Beta Phase 2: Join Token Design | 0115-beta-phase2-join-token-design.md |
| 0116 | iOS App Stack: Native Swift/SwiftUI | 0116-ios-stack-swiftui-native.md |
| 0117 | Founders Referral: 6-byte base64url slug for link identifiers | 0117-referral-slug-entropy.md |
| 0118 | Shadow-analytics data goals + consent-UX consequences | 0118-shadow-analytics-data-goals.md |
| 0119 | RBAC — Groups as the permission bridge; centralized identity authority | 0119-rbac-groups-not-direct-roles.md |
| 0120 | Status Page Hosting: where does /api/status/public live? |
0120-status-page-hosting.md |
| 0121 | Status Surface Registry: where and how is the surface list stored? | 0121-status-surface-registry.md |
| 0122 | Trunk-based SDLC affirmed; Gitflow rejected; hardening plan for drift and revert friction | 0122-trunk-based-sdlc-affirmed.md |
| 0123 | Fidelity auth flow: 3-legged OAuth 2.0 with PKCE; no credential hand-off to Raxx | 0123-fidelity-auth-flow.md |
| 0124 | New-surface hosting tier classification | 0124-new-surface-hosting-tiers.md |
| 0125 | Queue Phase 1 + Billing v1 — C++ Implementation | 0125-queue-phase1-cpp-billing-v1.md |
| 0126 | vcpkg Version Pinning Policy for Tier-1 C++ Services | 0126-vcpkg-version-pinning-policy.md |
| 0127 | Stripe Webhook Failure Strategy: 5xx to Stripe, Not 2xx + Local Queue | 0127-webhook-idempotency-5xx-not-local-queue.md |
| 0128 | Per-PR Context Swap: Agent Identity Routing | 0128-per-pr-context-swap-agent-identity.md |