Raxx iOS Companion App — Architecture Sketch v1

Status: Draft Owner: software-architect Date: 2026-04-22 Parent epic: #78 — Exploration Platform for Individual Traders Related ADRs: 0004, 0005, 0006

Goal + non-goals

v1 ships: portfolio view, positions, order status, paper-trading order entry, push alerts for fills and risk events, passkey sign-in.

v2+ (not in scope here): live-order entry from iOS, options chain UI, charting, Face ID step-up for live-mode toggle, biometric-gated watchlists sync.

Invariants that apply: no stored credentials, passkey/WebAuthn only, email-only contact, GDPR-by-default, paper-first gating, audit trail on every money/permission state change.

Stack choice — native Swift/SwiftUI

See ADR 0004 for the full decision. Short rationale: the AuthenticationServices framework is the only sanctioned path to platform passkeys on iOS; it is a native-only API. Wrapping it in React Native or Capacitor adds bridging complexity with no UX or code-sharing gain given that Antlers (the web frontend) is not a React Native app. PWA wrappers cannot call AuthenticationServices at all. SwiftUI is the current Apple-supported UI framework; its learning curve is lower than UIKit for greenfield work and produces smaller, auditable binaries.

Auth flow on iOS

Invariant respected: passkey/WebAuthn only; no stored credentials.

iOS 16+ exposes passkeys through ASAuthorizationController + ASAuthorizationPlatformPublicKeyCredentialProvider. Credentials sync via iCloud Keychain (encrypted, Apple holds no plaintext). The RP ID is raxx.app — the same RP used by the web app (see ADR 0005 and §open questions). This means a passkey created on the web can be asserted from the iOS app and vice versa, which is the correct user experience.

The auth handshake:

sequenceDiagram
    participant U as User (iOS)
    participant App as Raxx iOS
    participant AS as AuthenticationServices (OS)
    participant R as Raptor (api.raxx.app)

    U->>App: Tap "Sign in"
    App->>R: POST /api/auth/login/options
    R-->>App: PublicKeyCredentialRequestOptions (challenge)
    App->>AS: ASAuthorizationController.performRequests()
    AS->>U: Face ID / Touch ID / iCloud Keychain picker
    U-->>AS: Biometric confirmed
    AS-->>App: ASAuthorizationPublicKeyCredentialAssertion
    App->>R: POST /api/auth/login/verify {assertion}
    R-->>App: Set short-lived API token (15 min, per auth.md §6)
    App->>App: Store token in Keychain (not credential — opaque session token)

The app stores the opaque API token in the iOS Keychain (not iCloud-synced) with kSecAttrAccessibleWhenUnlockedThisDeviceOnly. It is not a passkey private key — it is the same short-lived session token that the web uses, and is revocable server-side immediately. This does not violate the no-stored-credentials invariant.

Step-up (e.g. confirming a paper order above a threshold) calls performRequests() again before sending the request to Raptor.

Data access pattern

Direct to api.raxx.app. No iOS-specific API layer or BFF in v1. All existing /api/* endpoints are consumed as-is. If iOS-specific endpoints become necessary (e.g. APNs device token registration — see below), they are added to Raptor as thin additions, not a separate service.

Offline posture

See ADR 0006. When the device has no network the app presents cached state from the last successful fetch — portfolio snapshot, positions, last known fill list — with a visible "Last updated at HH:MM" banner. All interactive controls (order entry, settings changes) are disabled with an explanatory prompt. The app does not queue orders for offline submission; trading requires real-time data and a connected Raptor. This is "read-only cache" posture, not "offline-capable."

Push notifications (APNs)

Invariant respected: email is the single contact channel. Push notifications are an in-app engagement feature, not a contact channel. They require the user's explicit iOS permission grant.

APNs setup requires: 1. An Apple Developer account with the push notification entitlement for the app bundle ID. 2. A new Raptor endpoint POST /api/devices/apns that registers a device token against an authenticated user. The token is stored in a new apns_device_tokens table (user_id, token, created_at, revoked_at) — not PII per se, but subject to GDPR erasure on DSR. 3. Raptor dispatches APNs pushes via Apple's HTTP/2 APNs API using a private key stored in the secret store (rotatable, never in code).

v1 event scope (narrow): paper fill confirmed, paper order rejected, session about to expire (15 min warning), breach/security alert from the platform. Live-trading alerts are v2 (paper-first gate blocks live execution from iOS in v1 anyway).

Silent background refreshes (background app refresh entitlement) are acceptable for portfolio data; no location or health entitlements are needed.

App Store review risks

These are known friction points to anticipate, not solved here:

• Guideline 5.2.1 (Legal — Consumer Protections): Apps offering securities trading must carry the appropriate broker-dealer disclosures. Raxx will need to clarify its relationship with the executing broker (Alpaca) and display the required disclosures on the order entry screen.
• Guideline 4.7 (HTML5 Games / Web Apps): Not triggered by native SwiftUI; would be triggered if we shipped a PWA wrapper. Another reason to go native.
• Guideline 3.1.1 (In-App Purchase): Resolved 2026-04-22 — Raxx uses Apple IAP (StoreKit 2). See ADR 0007. 15% cut (Small Business Program) absorbed as cost of native subscription management + clean App Store review path. Downstream: backend needs receipt validation + server-to-server notification endpoint.
• App Review guideline 1.4.3 (Physical Damages): Apps must not encourage financial harm. The paper-first gating invariant and the required disclosures address this, but the review notes must document the paper-mode default.
• Age rating: Financial trading apps are typically rated 17+ due to simulated gambling / financial risk content. Budget for this in the App Store listing.

Decisions locked (2026-04-22)

All original blocker questions resolved by the user:

1. RP ID: raxx.app confirmed as the single production RP ID — shared across web, iOS, and console. Immutable once users start registering passkeys. See ADR 0005.
2. iOS subscription billing: Apple IAP (StoreKit 2). User rationale: "security and control for users, no games." Accepts 15–30% Apple cut. See ADR 0007.
3. Apple Developer account owner: User already has an individual Apple Developer account and will proceed with development on it. Transfer to the LLC happens after LLC formation completes (currently in flight via #153, blocked on attorney consult #151). Development work is not blocked waiting for the transfer — Apple has a formal account-transfer process that runs after both accounts exist.
4. iOS 16+ floor: Accepted. ~5% of active iPhones excluded; acceptable for a pre-launch product with a passkeys-only auth invariant that requires iOS 16 anyway.

Non-blocking follow-ups

• APNs private key rotation runbook. No documented procedure yet. File as a card once operations cadence is established; this is a v2 concern, not a v1 blocker.
• LLC → Apple Developer account transfer. File a card blocked on #153 (form PA LLC). Runbook: Apple's "Transfer an app to another developer account" process, after org Apple Developer enrollment completes.