Raxx — Comprehensive Product Review

Business + Legal Research Brief

Status: research-only. This document does NOT constitute legal, tax, or investment advice. Every section that touches law or regulation ends with "Questions for your [pro type]." Before acting on any finding, consult: a securities attorney licensed in Pennsylvania (Investment Advisers Act §202(a)(11)), a consumer-protection attorney (FTC + PA UTPCPL), a PA-admitted business attorney (entity/IP), and a CPA (S-Corp election, SaaS sales tax).

Last updated: 2026-05-29 UTC. Sources as of that date — verify freshness before any meeting. Per feedback_human_to_human_drive: upload to Google Drive before attorney or CPA meeting.

1. Executive Summary

Top-3 launch-blocking gaps

Securities-attorney sign-off on MBT educational overlay copy is not complete. ADR-0108 Open Question for the attorney (Q-A through Q-E per docs/business-legal/mbt-securities-attorney-prep-2026-05-20.md) has not received a written opinion. The investor-profile narrative, pattern-match notifications ("setup matches your 90-day winning profile"), and the paper-to-live auto-promotion prompt are all in scope. Without a written memo, any public-facing use of the investor-profile overlay creates unresolved Investment Advisers Act §202(a)(11) exposure.
IP assignment from founder to MooseQuest LLC has not been executed. MooseQuest LLC was formed 2026-05-22 UTC. All Raxx source code, brand assets, and domain names were created by Kristerpher Henderson personally before formation. Until a signed IP assignment agreement is executed (Matthew Crosby or retained formation counsel), the LLC does not legally own Raxx. This gap affects: bank account opening, trademark filings under the LLC, diligence cleanliness for any investor or partner, and the enforceability of any contractor IP clause the LLC later tries to assert.
The landing-page hero mock shows specific backtest statistics (+34.2% total return, 1.87 Sharpe, -8.4% max drawdown) without a proximate backtest disclaimer. Per the marketing compliance brief (docs/business/raxx-marketing-compliance-brief-2026-05-27.md) and FTC Section 5 (15 U.S.C. § 45), displaying a hypothetical performance figure in a product mock without a clear "hypothetical — does not represent actual trading results" disclaimer adjacent to the figure carries consumer-protection exposure. This is a one-line code change but requires attorney confirmation of disclaimer language before the landing site removes its noindex header and accepts public traffic.

Top-3 launch-readiness strengths

Core product thesis is architecturally sound and legally conservative. Strategy Library (ADR-0107) enforces user-defined rules server-side (entry rules: HTTP 422 rejection, PR #3024). Exit rules stored for backtest use. No Raxx-authored recommendations. No AI in the order-firing path. This is the "inanimate tool" posture that SEC no-action guidance (FPL 1994, SunAmerica 2001) and the April 2026 SEC staff statement protect. The framing is well-documented and consistent across the codebase.
Authentication is passkey-only (WebAuthn), with no stored passwords. ADR-0001 and ADR-0002 ensure no credential material is held by Raxx. The signup flow ships a hardware-key reminder cycle (PR #3068) rather than dead-ending users without a second passkey. This is a genuine differentiator in the retail fintech space and a clean story for a securities attorney — Raxx cannot expose what it does not hold.
Geo-blocking for EU/EEA and Quebec is implemented and confirmed deployed. EU geo-block (FLAG_SIGNUP_GEOBLOCK_EU=1) eliminates GDPR Article 27 representative requirement and 4+ DPA regimes at v1. Quebec geo-block eliminates Bill 96 / OQLF exposure (up to CAD $30,000/day). Both decisions are operator-locked and architecturally clean.

2. Customer Journey Gap Matrix

Research-only. Gap characterization draws from ADRs, PRs, and codebase inspection as of 2026-05-29 UTC. "Owner" refers to the type of work required, not an individual.

Step	Current state	Gap	Gap type	Urgency
Discovery — hears about Raxx	getraxx.com is live; CF Access login-wall removal documented in runbook (`docs/ops/runbooks/getraxx-launch-day-cf-access-removal.md`). Site currently has `noindex` header in place.	CF Access removal is a Terraform destroy — operator action. Until executed, real users and crawlers see auth challenge, not the marketing site.	Operator action	HIGH (launch-day)
Marketing site — first impression	Hero copy ("You already decided the structure. Entry, credit, exit — defined before the trade. Raxx holds you to it.") is clean. Pricing page shows four tiers.	(1) Hero product mock shows +34.2% total return without proximate backtest disclaimer. (2) Footer has no investment-adviser disclaimer. (3) Privacy and Terms pages are attorney-drafted drafts with "DRAFT" banners (PR #3001) — not yet attorney-approved final text.	Legal	HIGH
Waitlist signup	WaitlistSection component exists. Backend endpoint wired per PR history. Double-opt-in copy confirmed.	Cookie consent banner gated behind FLAG_GETRAXX_COOKIE_BANNER — not yet live. Analytics (PostHog/Clarity) may fire before banner confirmation. Operator must confirm whether analytics are gated off until banner ships.	Engineering / Legal	MEDIUM
Founders cohort invite — receives link	signup-bootstrap-link endpoint (Option C, PR accd65bc on current branch) ships URL-token flow for invite-gated signup.	PR not yet merged to main. Founders cohort invite distribution mechanism (who gets invited, when, via what list) is operator-process, not yet documented.	Operator action / Engineering	HIGH (before first invite)
Signup — passkey registration	WebAuthn passkey-only flow, RP ID raxx.app, two passkey minimum enforced with 30-day reminder cycle (PR #3068). Geo-blocks for EU/Quebec active.	Account recovery (ADR-0032) relies on identity-verification path (Option A + B only, no password recovery). Recovery UX not yet fully visible in Antlers. Users who lose all passkeys have a support-escalation path only.	Engineering / UX	MEDIUM
Email verification	verify-email flow exists (`/verify-email/pending`, `/verify-email/confirm`). Postmark approved out of sandbox.	Sentry alerts on `skipped_no_postmark_token` pending operator action (mint signing key for reminder cron per #3061). Until signing key + Postmark template are created, reminder emails do not fire.	Operator action	HIGH
Onboarding wizard	Wizard page (`/wizard`) exists. Onboarding broker page (`/onboarding/broker`) exists. Risk page (`/onboarding/risk`) exists.	BrokerConnect step (PR #3057 referenced in ADR-0109) — status unclear from current branch; confirm it is merged before operator testing. Display name capture (#474) is open and ready-for-dev — a user cannot complete onboarding without a display name.	Engineering	MEDIUM
Broker connection	Alpaca paper trading is the v1 default. FLAG_MBT_ENGINE gates the new Raxx-native simulator (ADR-0108, Proposed).	MBT engine is "Proposed" (not shipped). v1 paper trading still routes through Alpaca paper endpoint via `paper_order_service.py`. Shared server-side Alpaca credential means paper is not per-user isolated. Migration to MBT is post-launch work. Live broker connection for Pro/Pro+ requires BYOB Tier A attorney sign-off (ADR-0109 OQ-1).	Engineering / Legal	HIGH (for live; MEDIUM for paper)
First paper trade	Strategy Library (ADR-0107) ships server-side entry rule enforcement (PR #3024). Five templates available client-side. Paper order service routes to Alpaca.	Exit rules (profit target, stop loss, DTE) stored but NOT auto-enforced server-side (documented in ADR-0107 as v1 scope decision). Users setting exit rules expect auto-close; they will not get it in v1. This is a UX expectation gap, not a bug. The product must clearly communicate this.	Design / Copy	HIGH
Backtest	Backtest runner (`backend_v2/api/services/backtest_runner.py`) reads exit rules, returns equity curve + stats. Equity-only strategies covered.	Options strategies return `{"error": "strategy_not_equity_compatible"}` in v1. Phase 4b (options backtesting) is undesigned. Users creating options strategies get an error on backtest — must be clearly communicated in UI.	Engineering / UX	MEDIUM
Strategies view	Strategies CRUD (`/api/strategies`), per-user scope and ownership checks, audit log integration. Template pre-fill.	No kill-switch flag (`FLAG_STRATEGY_ENFORCEMENT_ENABLED`) for entry rule enforcement (ADR-0107 Open Question #1). If enforcement produces false-positive rejections in production, disabling requires a code deploy.	Engineering	MEDIUM
Options trading	Options page exists (`/options/page.tsx`). Multi-leg support in ADR-0107 (credit_min_amount enforcement).	Options backtest not supported (v1). Multi-leg options fill engine in MBT (ADR-0108) handles per-leg fill evaluation but is not yet shipped (FLAG_MBT_ENGINE=0). Single vs. multi-leg behavior must be clearly disclosed.	Engineering / UX	MEDIUM
Paper-first graduation gate	Graduate page (`/graduate/page.tsx`). PR #3021 ships paper-first gate. Reads from Raptor Postgres when FLAG_MBT_ENGINE=1; reads from Alpaca paper endpoint when FLAG_MBT_ENGINE=0.	With MBT engine not yet on, graduation reads from Alpaca paper — which means fill history and performance are not Raxx-owned. This is architecturally correct for v1 but means the gate is dependent on Alpaca API availability.	Engineering	LOW (acceptable for v1)
Live trading graduation	BYOB Tier A: Alpaca live handoff for Pro+ (ADR-0014). Velvet token storage.	Securities attorney opinion on Section 15(a) has not been obtained (ADR-0109 OQ-1). Tier A BYOB production deployment (Tradier, tastytrade, Alpaca BYOB) is blocked until the opinion letter arrives. No live trading for non-Alpaca brokers at v1.	Legal	HIGH (for BYOB expansion; Alpaca-only path may be lower risk — confirm with attorney)
Settings / account management	Settings page (`/settings/page.tsx`). DSR page at `/privacy/data-request`. Unsubscribe from reminders at `/reminders/unsubscribe`.	Billing management (Stripe portal, subscription upgrade/downgrade, cancellation) — Stripe webhook handler (#1682) status unclear. If paid subscriptions open at launch, this is a critical gap.	Engineering	HIGH (if paid tiers open at launch)
6-month customer — ongoing retention	Founders $29/6mo price lock. 30-day rollover notice promised in FAQ. Reminder cron ships escalating cadence (#3068).	(1) Reminder cron requires signing key + Postmark template (operator action, #3061). (2) Founders 6-month rollover to Pro+ is a Celery scheduler task (ADR-0102 / ADR-0016) — confirm this job is deployed and tested before first Founders customer hits the 6-month mark. (3) No automated in-app engagement surface for long-term retention beyond reminders.	Operator action / Engineering	HIGH (for #3061 before any reminder fires)

3. Legal Compliance Scorecard

Research-only. This is NOT legal advice. Every status is a research finding, not a legal determination. Consult licensed counsel for each regime before treating any item as "cleared." All deadlines are in UTC.

3A. Securities regulation

Regime	Status	Deadline	Next operator action
Investment Advisers Act §202(a)(11) — IA registration analysis	PENDING. Attorney engagement not yet confirmed as complete. Five firms researched and outreach letters drafted (`docs/business/attorney-outreach-2026-05-27/`).	No statutory deadline for pre-launch posture opinion, but every day of public operation without a written opinion is exposure.	Confirm engagement with one of the five firms; transmit the six-document package (`docs/business-legal/mbt-securities-attorney-prep-2026-05-20.md` §4b). Scope to Q-A through Q-E only for the launch-blocking subset.
Exchange Act Section 15(a) — broker-dealer registration	RESEARCH COMPLETE, ATTORNEY OPINION PENDING. ADR-0109 OQ-1 documents the question. Raxx's user-directed, non-discretionary posture aligns with the April 2026 SEC staff statement on non-registerable user interfaces. Direct-submission of orders to Alpaca on user's behalf is the surface most exposed.	Required before Tier A BYOB (Tradier, tastytrade) production deployment.	Engage securities attorney; confirm §15(a) is in scope alongside §202(a)(11). The same attorney covers both.
PA DoBS — investment adviser registration (state-level)	Not triggered if federal §202(a)(11) analysis concludes Raxx does not require registration. PA DoBS administers IA registration for PA-based advisers with AUM < $100M.	N/A until attorney opinion.	Confirm with securities attorney: if registration is triggered, PA DoBS (not SEC) is the first filer. Source: `https://www.pa.gov/agencies/dobs/securities/investment-advisers.html`
FINRA membership	Not applicable. Raxx is not a broker-dealer and does not hold customer assets. However, marketing copy subject to FINRA Rule 2210 policy analogy under FTC/PA UTPCPL enforcement.	N/A	Ensure marketing copy avoids FINRA Rule 2210 violations by implication (Robinhood $70M precedent).

3B. Entity + corporate compliance

Regime	Status	Deadline	Next operator action
MooseQuest LLC formation (PA)	COMPLETE. PA state approval 2026-05-22 UTC. EIN issued 2026-05-22 UTC.	—	Download and execute Operating Agreement from Northwest portal (ASAP — no hard date, but blocks bank account, IP assignment, S-Corp election).
PA fictitious-name DBA for "Raxx"	NOT YET FILED. Required under PA Title 54 §311 for entities operating under a name other than their legal name. Fee: $70. No expiration for LLCs. No newspaper publication required (LLC exemption). Source: `https://law.justia.com/codes/pennsylvania/title-54/chapter-3/section-311/`	File after OA execution. No hard statutory deadline post-formation, but pre-revenue customer operations under "Raxx" without the filing creates technical non-compliance.	File Form DSCB:54-311 at PA Business One-Stop Hub (`https://www.paurp.pa.gov/`) after OA is executed. ~$70 fee. Coordinate with attorney on interaction with USPTO RAXX §2(d) situation.
FinCEN BOI report	STATUS UNCLEAR. CTA requires filing within 30 days of formation for entities formed after Jan 1, 2024. Formation: 2026-05-22. Window: approximately 2026-06-21 UTC. Enforcement has been stayed and restored multiple times in 2025-2026 — current status must be verified at `https://www.fincen.gov/boi`. Northwest Registered Agent may have filed as part of formation service — confirm.	~2026-06-21 UTC (if currently required)	Confirm with Northwest or formation attorney: (1) Is BOI currently required? (2) Did Northwest file? (3) If not, file immediately.
IP assignment (founder → MooseQuest LLC)	NOT YET EXECUTED. Issue #154 open. Matthew Crosby engaged for trademark; IP assignment scope must be confirmed with him or retained formation counsel.	No hard deadline, but every day without execution creates a chain-of-title gap.	Instruct Matthew Crosby or formation counsel to draft a 1-2 page IP assignment covering: all Raxx source code authored pre-formation, brand materials, domain names (raxx.app, getraxx.com), and a catch-all. Include goodwill-transfer language for trademark assignment (15 U.S.C. § 1060). Effective date: 2026-05-22.
S-Corp election (Form 2553)	NOT YET FILED. Deferred pending CPA engagement.	2026-08-06 UTC (2 months + 15 days from formation per IRS Instructions Form 2553). If missed, next window is 2027-03-15 for 2027 tax year. Source: `https://www.irs.gov/instructions/i2553`	Engage CPA before 2026-07-15 UTC. CPA must run breakeven analysis before election is filed. Form 2553 cannot be filed online — mail or fax only.
PA annual report (LLC, $7)	Not yet due. First due Sept 30 of first full year.	2026-09-30 UTC	File via PA Business One-Stop Hub. $7 fee. Low-risk item but must not be missed.

3C. Tax compliance

Regime	Status	Deadline	Next operator action
PA SaaS sales tax	RESEARCH COMPLETE, CPA REQUIRED FOR FILING DECISION. PA Act 84 of 2016 classifies SaaS as taxable canned software. PA sales tax rate: 6% state (7% Allegheny, 8% Philadelphia). As a PA domestic LLC, MooseQuest LLC has nexus from the first PA-resident subscriber — not only after the $100k economic nexus threshold. Source: `https://www.pa.gov/agencies/revenue/resources/tax-types-and-information/sales-use-and-hotel-occupancy-tax/canned-computer-software-digital-goods`	Before first paying PA subscriber.	CPA to confirm collection obligation and whether Stripe Tax should be enabled at launch.
Multi-state sales tax (Wayfair nexus)	Not yet triggered. No revenue. Most states: $100k or 200 transactions threshold.	Monitor post-launch.	CPA to advise on threshold monitoring and when to register in additional states.
CA franchise tax (foreign-qualification)	DEFERRED. Operator's CA stays create a potential nexus question. PA LLC would owe CA $800/year minimum franchise tax if nexus attaches. Source: `https://www.ftb.ca.gov/file/business/types/limited-liability-company/index.html`	Before next CA stay involving Raxx work.	CPA must answer: does personal-testing-only CA work constitute "doing business" under CA Rev. & Tax. Code §23101(b)?

3D. Privacy + data protection

Regime	Status	Deadline	Next operator action
GDPR (EU/EEA)	GEO-BLOCKED at signup. FLAG_SIGNUP_GEOBLOCK_EU=1 deployed. Per ADR-0100, Art. 27 representative requirement eliminated for v1.	N/A for v1. Re-evaluates if geo-block is lifted.	Maintain geo-block. Do not accept EU signups until Art. 27 representative is retained and DPAs with all processors are signed.
CCPA / CPRA (California)	BELOW THRESHOLD. CPRA threshold self-determination form signed (PR #1977, commit b5195ff0). Raxx is below 100k consumers, below $25M revenue, below 50% revenue from data sharing. `/privacy/data-request` DSR endpoint exists (PR #3039). Source: `docs/legal/artifacts/cpra-threshold-self-determination.md`	Re-evaluate annually or when any threshold is approached.	No current action required. Maintain signed determination form.
CAN-SPAM / TCPA	PARTIAL. Email flows use Postmark (approved out of sandbox). Reminder cron (#3068) ships unsubscribe link at `/reminders/unsubscribe`. CAN-SPAM requires: physical address in commercial email, opt-out mechanism, no deceptive subject lines.	Before any commercial email fires.	Confirm Postmark template for reminder emails includes registered-office physical address (502 W 7th St, Ste 100, Erie, PA 16502-1333 per footer — Northwest Registered Agent) and compliant unsubscribe language. NEVER the operator's home address. Operator action: create Postmark template + mint signing key (#3061).
GDPR (existing vendors)	DPAs signed with Cloudflare, Google Workspace, Heroku, Postmark, Sentry, Stripe per `docs/legal/compliance/vendor-dpas-status.md`.	Ongoing.	Review any new vendor additions against DPA requirement.
Bill 96 (Quebec)	GEO-BLOCKED at signup. Decision locked 2026-05-09. FLAG_QUEBEC_GEOBLOCK active per memory.	N/A for v1.	Maintain geo-block.
Privacy policy + Terms of Service	DRAFT (not attorney-approved). PR #3001 ships draft pages with "DRAFT" banners. Attorney review outreach initiated (`docs/business/privacy-policy-attorney-review-2026-05-27.md`).	Before collecting email addresses from public users (i.e., before noindex removal and CF Access removal).	Engage Ballard Spahr, Duane Morris, or Eckert Seamans (Philadelphia-based consumer-protection firms) for privacy policy + ToS review. Do not remove DRAFT banners until attorney approves.
Cookie consent	GATED. CookieConsent component exists; gated behind FLAG_GETRAXX_COOKIE_BANNER.	Before removing noindex if analytics fire on getraxx.com before consent.	Confirm whether PostHog/Clarity fire before banner. If yes, banner must ship before CF Access removal. If scripts are fully gated off until banner, this can remain deferred.

3E. Trademark

Regime	Status	Deadline	Next operator action
RAXX — USPTO	§2(d) conflict with Ramp Payment Solutions (Reg. 7779396, Class 36). Matthew Crosby engaged. Research at `docs/legal/research/raxx-tm-conflict-analysis-2026-05-06.md`.	No hard deadline, but every month of operation without a registered mark or a coexistence agreement increases common-law exposure.	Await Crosby's §2(d) analysis decision: proceed with filing, pursue coexistence, or pivot. Any fresh RAXX filing should be in MooseQuest LLC's name (not personal). IP assignment must be executed first.
MOOSEQUEST — USPTO	Serial 86072931 abandoned 2015-05-18. Fresh filing is available. Crosby engaged.	No hard deadline.	Crosby to advise on specimen and filing strategy. Any fresh MOOSEQUEST filing should be in MooseQuest LLC's name.

4. Marketing Copy Audit

4A. getraxx.com current copy — verdict by surface

The CF Access login-wall was in place at time of research (2026-05-29 UTC); the live site returns minimal content. The review is based on source code in frontend/getraxx-landing/src/.

Copy / element	Location	Verdict	Basis
"You already decided the structure. Entry, credit, exit — defined before the trade. Raxx holds you to it."	HeroSection.jsx sub-headline	ACCURATE + LEGALLY CLEAN	Process-enforcement framing. No outcome claim. Consistent with "inanimate tool" posture.
"+34.2% total return / 1.87 Sharpe / -8.4% max drawdown / 58.3% win rate / 247 trades" in product mock	HeroSection.jsx HeroProductMock	NEEDS PROXIMATE DISCLAIMER	FTC Section 5 (15 U.S.C. § 45); hypothetical backtest figures shown without "hypothetical — does not represent actual trading results" adjacent disclosure. Per marketing compliance brief §5B. Attorney must confirm minimum disclaimer language.
"SPY · 1D · Mean-reversion v3" in product mock	HeroSection.jsx	NEEDS DISCLAIMER (see above)	Same as above — the label "app.raxx.app — backtest results" in the device frame URL bar is not a sufficient disclaimer for public-facing display of specific return figures.
"Closed beta · joining by invite" kicker pill	HeroSection.jsx	ACCURATE	Beta posture is accurate.
"Retrospective, not predictive. Raxx shows you what your structure returned on your own data. No forecasts. No signals. No suggestions about what to do next. Only what happened."	AboutPage.jsx (PillarsSection)	ACCURATE + LEGALLY CLEAN	Matches retrospective-only framing. Strong safe-harbor language.
"Paper first. Always."	AboutPage.jsx	ACCURATE + LEGALLY CLEAN	Consistent with paper-first gate (PR #3021).
"Every structure earns its live slot by running paper. The ledger is not a sandbox — it is a qualifying round. You graduate when the structure earns it."	AboutPage.jsx	ACCURATE + LEGALLY CLEAN	"You graduate when the structure earns it" is process-based, not outcome-based. Clean.
"Your money stays where it is. Raxx enforces structure against the broker you already use."	AboutPage.jsx	ACCURATE	No broker names. No custody claim. Accurate to v1 architecture.
Pricing: "$29/month for everything, locked for 6 months from signup. Paid immediately on signup — there is no trial period."	PricingPage.jsx	ACCURATE	Matches `project_pricing_tiers_locked` memory decision. However: "After the 6-month pricing window, your subscription rolls to Pro+" — confirm Celery scheduler task for this rollover is tested before first Founders customer hits 6-month mark.
"Pricing is in beta and may change during beta."	PricingPage.jsx	ACCURATE	Beta pricing banner is appropriate.
"Do I get a refund if I cancel?" FAQ answer mentions "Refund eligibility for the current billing period is handled on a case-by-case basis"	PricingPage.jsx	NEEDS ATTORNEY REVIEW	This language is ambiguous. PA UTPCPL requires clear and conspicuous material terms. A "case-by-case" refund policy may create consumer-protection exposure depending on how it is interpreted. Attorney should confirm whether a more specific refund policy is required before paid subscriptions open.
Footer disclaimer	LandingFooter.jsx	MISSING	Footer has MooseQuest LLC entity attribution and physical address but NO investment-adviser / not-financial-advice disclaimer. Per marketing compliance brief §5A, minimum language should read: "Raxx is a trade-management and process-enforcement tool. Raxx does not provide investment advice, financial advice, or recommendations to buy or sell any security. MooseQuest LLC is not a registered investment adviser. Trading involves risk of loss. Past backtest results do not predict future performance." Attorney must approve final text.
No broker names in any copy	All landing pages	COMPLIANT	Confirms `feedback_no_backend_branding`.
No predictive / forward-looking claims ("X% returns", "outperform the market")	All landing pages	COMPLIANT	Confirms `feedback_no_forward_looking_framing`. "Go live when the structure earns it" is process language, not a performance promise.
Geo-limits (EU, Quebec)	No public-facing disclosure anywhere on getraxx.com	MISSING	Users attempting to sign up from geo-blocked regions will hit a 403 at the app layer, not a pre-emptive explanation on the marketing site. A brief note ("Not yet available in your region") on the waitlist or signup page would improve UX and reduce support volume. Not strictly a legal requirement given the geo-block, but good practice.

4B. Copy that requires attorney sign-off before going live

Footer investment-adviser disclaimer (§5A above) — consumer-protection attorney
Backtest results proximate disclaimer adjacent to HeroProductMock (§5B above) — securities + consumer-protection attorney
Privacy Policy and Terms of Service full text — privacy / consumer-protection attorney
Refund policy specificity in FAQ — consumer-protection attorney

4C. Copy that can go live without additional attorney work (already clean)

All hero, pillar, and about-page structural copy describing enforcement, not outcomes
Pricing tier descriptions (except refund FAQ item above)
"Closed beta · joining by invite" kicker
"Paper first. Always." and all graduation-gate copy
Entity attribution and address in footer

5. Customer Support + Ticketing Posture

5A. FreeScout deployment

tickets.raxx.app runs self-hosted FreeScout. The instance provides the support@ inbox and the "Investigate" → auto-ticket flow from the Console status surface.

Outstanding operator actions (from docs/launch/2026-05-23-prelaunch-punch-list.md and design research): - FreeScout mailbox for support@raxx.app (#710): listed as open and priority:critical in the pre-launch punch list. MX and Postmark inbound are confirmed closed. Only the FreeScout-side mailbox creation remains. This is a 5-minute admin UI action. - FreeScout theming / RaxxTheme: docs/design/freescout-rebrand-spec.md documents the theming spec. Status of theming application is unclear from current branch. - Company name, sender name, and footer in FreeScout: should read "Raxx / MooseQuest LLC" after IP assignment execution; confirm settings.

5B. CVE-2026-28289 — FreeScout RCE — HIGH URGENCY

CVE-2026-28289 ("Mail2Shell") is a CVSS 10.0 zero-click RCE on FreeScout.

Research summary (sources below): - A TOCTOU flaw in filename sanitization allows an attacker to bypass the dot-prefix check by prepending a Zero-Width Space character (U+200B). The sanitization removes the invisible character after the check, causing a file to be saved as a true dotfile. On Apache with AllowOverride All, the attacker can then access the uploaded file and execute arbitrary PHP. - The attack requires only sending a malicious email to a FreeScout-monitored inbox. No authentication required. Zero-click. - Affected: FreeScout 1.8.206 and below. - Patched: FreeScout 1.8.207 (released 2026-02-27). - Mitigation in addition to patching: Disable AllowOverride All in Apache configuration.

Raxx exposure: tickets.raxx.app is a publicly reachable FreeScout instance that monitors support@raxx.app. Any email sent to support@raxx.app creates a ticket, which means the attack surface is exactly the scenario CVE-2026-28289 exploits.

Operator action required immediately: 1. Verify FreeScout version on tickets.raxx.app. If below 1.8.207, upgrade immediately. 2. Confirm Apache AllowOverride All is disabled or restricted on the FreeScout host. 3. If upgrade is not immediately possible, consider temporarily disabling inbound email processing until the patch is applied.

Sources: - OX Security technical writeup: https://www.ox.security/blog/freescout-rce-cve-2026-28289/ - Help Net Security: https://www.helpnetsecurity.com/2026/03/05/freescout-vulnerability-cve-2026-28289/ - NVD detail: https://nvd.nist.gov/vuln/detail/CVE-2026-28289 - FreeScout 1.8.207 patch: verify at https://github.com/freescout-help-desk/freescout/releases

6. Trust + Security Posture

6A. Authentication

WebAuthn passkey-only, no stored passwords (ADR-0001, ADR-0002). RP ID is raxx.app (ADR-0005). Two passkey minimum enforced. Hardware-key buy link + 30-day reminder cycle until second passkey enrolled (PR #3068). Signup-bootstrap URL-token flow (Option C, current branch) gates Founders cohort invite. This is a genuine security differentiator.
Account recovery (ADR-0032): Options A + B only (identity verification via support, no password recovery). Recovery path is support-escalation only. This means a user who loses all passkeys has a friction-heavy experience. The design is correct from a security standpoint but must be communicated clearly to new users at signup.

6B. Secrets + infrastructure

Vault (Infisical) stores vendor API tokens. AWS SSM stores workload secrets. Velvet handles token rotation. No inline secrets in repo.
KMS HMAC audit chain approved (~$2/mo) for SC-A11/SC-A14 deploy. Operator approved; status of deployment unclear.
BCP daily vault snapshot (#3049) shipped. Operator action: verify cron firing.
Sentry alert on skipped_no_postmark_token: reminder cron will silently fail until operator creates Postmark template + mints signing key (#3061).

6C. WAF

Phase 1 (log-only Terraform module, managed_ruleset_action="log") deployed per PR #1795.
Phase 2-4 (challenge → block) blocked per pre-launch punch list. Operator elected to accept FLAG_ENFORCE_CF_ORIGIN=false at launch or compress soak windows — decision status unclear.
CF Access service-token policies: Per feedback_cf_access_service_token_needs_non_identity, service tokens need decision=non_identity not allow. Per feedback_cf_access_does_not_bypass_bot_fight_mode, CF Access must be paired with WAF skip rule keyed on CF-Access-Client-Id header.

6D. Sentry + APM

Sentry confirmed as APM vendor (APR-0005 alternative context; Honeybadger disqualified per ToS — securities execution software prohibited). Sentry sentry_backend flag deployed.

6E. Questions for security attorney / outside counsel

Does operating a public FreeScout instance on a domain that processes business email create any liability if a known-critical RCE (CVE-2026-28289) is not patched before the first customer support interaction?
What is the contractual SLA Raxx should establish for response to a security incident affecting customer data (in the context of WebAuthn credentials + paper trading history)?

7. Operational Readiness

System	Status	Operator action
raxx.app (Antlers) — Next.js	Live on Cloudflare Pages (Phase 3 cutover #2883 closed).	None.
Raptor (backend_v2)	On Heroku. Postgres migration complete per RM-10. SC-A1 role separation (#1569) — status unclear (may have landed post punch-list).	Confirm SC-A1 role separation is deployed.
Synthetic monitoring	Recovered after #3054 fix.	Confirm synthetic probes are passing on both staging and prod.
Heroku release-phase migrations	Confirmed applying correctly.	None.
BCP daily vault snapshot	Shipped (#3049).	Verify cron firing via Sentry or Heroku scheduler dashboard.
Reminder cron	Shipped (#3068).	Mint signing key + create Postmark template (#3061). Until done, reminder emails silently skip.
Support mailbox	FreeScout `support@raxx.app` mailbox creation pending (5-minute admin action).	Create FreeScout mailbox #710.
getraxx.com — CF Access removal	Documented in runbook. Must execute on launch day.	Execute Terraform destroy on launch day per runbook. Verify: `curl -I https://getraxx.com/` returns `HTTP/2 200`.
getraxx.com — noindex removal	Gated on legal pages existing (Privacy/ToS), cookie consent posture, analytics gating.	Remove `noindex` header only after: (1) legal pages no longer say DRAFT, (2) analytics gating confirmed, (3) CF Access removal complete.

8. Surface State: What Is In Place vs. Missing vs. Stub

Surface	In place	Stub / placeholder	Truly missing for v1
Signup / registration	WebAuthn passkey flow, email verification, geo-blocks (EU/Quebec), URL-token invite flow (Option C, current branch — pending merge)	Display name capture (#474 open)	Nothing critical beyond display name + Option C merge
Dashboard	`/dashboard/page.tsx` exists	Content partially placeholder ("core analytics dashboard" per pricing page — confirm what is actually rendered)	Confirm Confidence Engine skin is applied per `feedback_all_surfaces_confidence_engine`
Strategies	Full CRUD, 7 rule fields, server-side enforcement, 5 templates, audit trail	—	Kill-switch flag `FLAG_STRATEGY_ENFORCEMENT_ENABLED` (ADR-0107 OQ-1) not yet implemented
Trading	Paper order service (Alpaca-backed). Entry rule enforcement (server-side, PR #3024). Options multi-leg.	MBT engine gated (FLAG_MBT_ENGINE=0)	Exit rule auto-enforcement (Phase 6) — must be clearly communicated as not in v1
Options	Multi-leg options rule storage and credit_min_amount enforcement	Options backtest returns error	Options backtest (Phase 4b) undesigned — must be clearly communicated
Backtest	Equity backtest runner, equity curve, win rate, max drawdown, Sharpe. Exit rules consumed.	—	Options backtesting (returns error) — copy must set expectation
Graduate	Graduate page, paper-first gate (PR #3021), reads from Alpaca paper (v1)	MBT-sourced graduation reads (FLAG_MBT_ENGINE=0 means Alpaca-sourced)	Nothing missing for v1 paper path; live path requires Section 15(a) attorney opinion
Settings	Settings page exists	Billing management (Stripe portal) — unclear if complete	Billing management must be complete before paid tier opens
Privacy / DSR	`/privacy/data-request` page (PR #3039). Manual DSR SOP (#1686 closed). Privacy Policy + ToS draft pages (PR #3001).	DRAFT banners on legal pages	Attorney approval of Privacy Policy + ToS text
getraxx.com marketing site	Hero, Pillars, Pricing (4 tiers), About, Waitlist, Privacy/ToS (drafts), Cookie consent (gated).	Investment-adviser footer disclaimer MISSING. Backtest disclaimer MISSING.	Footer disclaimer + backtest disclaimer before public traffic
Support / tickets	FreeScout deployed. Postmark inbound wired. MX confirmed. Console "Investigate" → auto-ticket integration per ADR design.	FreeScout mailbox creation (#710 pending). Theming TBD.	FreeScout CVE-2026-28289 patch status unverified — HIGH urgency
Replay / historical data	`/replay/page.tsx` and `/historical-data/page.tsx` exist	Content unclear — confirm these are fully functional or gated behind feature flags	If behind flags, ensure they are correctly gated
Setup wizard	`/setup/page.tsx` and `/wizard/page.tsx` exist	BrokerConnect step (PR #3057) — confirm merged	Strategy comparison (`/strategy-comparison`) — unclear state

9. Top 10 Operator Decisions / Actions

Prioritized by urgency and blocking impact. All times UTC.

CVE-2026-28289 FreeScout patch — TODAY. Verify FreeScout version on tickets.raxx.app. Upgrade to 1.8.207 if below. Disable Apache AllowOverride All. This is a CVSS 10.0 zero-click RCE. No other work should start until this is confirmed patched.
Mint signing key + create Postmark template (#3061) — THIS WEEK. Until done, reminder emails silently skip (skipped_no_postmark_token Sentry alerts). The reminder cron (#3068) is shipped but inactive. This is a 30-minute operator action.
Create FreeScout support@raxx.app mailbox (#710) — THIS WEEK. 5-minute admin UI action. No customer support email can create a ticket without it. Confirmed as priority:critical in pre-launch punch list.
Execute IP assignment agreement (founder → MooseQuest LLC) — THIS WEEK. Instruct Matthew Crosby or retained formation counsel to draft. Every day of delay extends the chain-of-title gap. Required before trademark filings under LLC name, bank account, or any investor diligence.
Download and execute Operating Agreement from Northwest portal — ASAP. This is a 30-minute operator action. No external professional required (though attorney review before signing is recommended). Blocks bank account, S-Corp election, and IP assignment.
Confirm securities attorney engagement (IA §202(a)(11) + Section 15(a)) — THIS WEEK. Five firms with contact details are in docs/business-legal/mbt-securities-attorney-prep-2026-05-20.md. Send the six-document package to at least two. Scope: Q-A through Q-E only for launch-blocking review. Any public operation with the investor-profile overlay without a written posture memo is unresolved exposure.
Attorney review of Privacy Policy, Terms of Service, footer disclaimer, and backtest disclaimer — THIS WEEK. Engage consumer-protection attorney (Duane Morris, Ballard Spahr, or Eckert Seamans per docs/business/attorney-outreach-2026-05-27/). Required before removing noindex header and opening public traffic to getraxx.com.
Engage CPA before 2026-07-15 UTC. S-Corp election window closes 2026-08-06 UTC. CPA must run breakeven analysis and prepare Form 2553 if election is made for 2026. Confirm PA SaaS sales tax collection obligation before first paying subscriber.
Verify FinCEN BOI filing status — BEFORE 2026-06-21 UTC. ~30-day deadline from formation. Check Northwest portal and current FinCEN enforcement status at https://www.fincen.gov/boi.
Operator testing: confirm Option C signup-bootstrap-link endpoint branch merges cleanly to main before any Founders invites are sent. Current branch (feat/signup-bootstrap-link-endpoint-option-c) is not yet merged. Founders invites sent before the endpoint is on prod will fail.

10. Questions for Securities Attorney

Consult a securities attorney licensed in Pennsylvania with Investment Advisers Act §202(a)(11) expertise. Full question list and engagement package: docs/business-legal/mbt-securities-attorney-prep-2026-05-20.md §4d.

Does any copy string in the MBT educational overlay (investor-profile onboarding questions, post-fill narrative, stretch-goals prompt, auto-promotion messaging) constitute "advising others as to the advisability of investing" under 15 U.S.C. §80b-2(a)(11)?
Does Raxx's current product design (user-defined rules, retrospective results, server-side enforcement of user-stated rules, no personalized recommendations, no Raxx discretion over trades) fall outside §202(a)(11)? Is this a verbal opinion or something that requires a formal no-action request to the SEC?
Does the §202(a)(11)(D) publisher's exclusion (Lowe v. SEC, 472 U.S. 181 (1985)) apply to the investor-profile-tuned educational overlay?
Does submitting orders to Alpaca on the user's behalf (Tier A direct integration per ADR-0109) require Exchange Act Section 15(a) broker-dealer registration, or does it fall within the user-directed, non-discretionary safe harbor articulated in the April 2026 SEC staff statement?
Does acting as a SnapTrade API consumer (Tier B) under ADR-0109 require separate Section 15(a) analysis, or does SnapTrade's introducing-broker relationship satisfy the safe harbor?
What is the safe-harbor language for the paper-to-live promotion prompt ("You've hit your goal 4 weeks in a row. Want to try live trading?")?
Should Raxx's Privacy Policy and website disclaimers explicitly state "MooseQuest LLC is not a registered investment adviser" as a first-layer defense?

11. Questions for CPA

Consult a CPA experienced with PA LLCs, S-Corp elections, and multi-state SaaS pass-through. Full question list: docs/business/questions-for-cpa.md and docs/business/llc-post-formation-questions-2026-05-25.md Section 13.

S-Corp election: given 2026-05-22 formation and ~7 months remaining in the 2026 tax year, should we elect for 2026 (deadline 2026-08-06) or defer to 2027 (deadline 2027-03-15)? Provide breakeven analysis given expected 2026 revenue.
PA SaaS sales tax: as a PA domestic LLC selling taxable SaaS subscriptions, does MooseQuest LLC have a collection obligation from the first PA-resident subscriber? Is there a dollar threshold before registration is required?
Should Stripe Tax be enabled at v1 launch or is a manual approach acceptable at early revenue levels?
CA foreign-qualification: do the operator's CA stays constitute "doing business" under CA Rev. & Tax. Code §23101(b) if the work is personal testing only? If nexus attaches, is the $800 CA franchise tax owed for 2026?
Pre-formation expenses (FreeScout licenses, GitHub Team plan) — what is the correct treatment: Schedule C deduction vs. IRC §195 startup-cost election?

12. Questions for Business Formation Attorney

Consult a PA-admitted business attorney for entity and IP items.

Does the Northwest-generated Operating Agreement template adequately cover IP ownership and dissolution for a software LLC? What additions are needed before signing?
Draft IP assignment agreement: all Raxx source code (pre-formation), brand materials, domain names (raxx.app, getraxx.com), and catch-all. Include goodwill-transfer language per 15 U.S.C. § 1060. Effective date 2026-05-22.
File PA Form DSCB:54-311 (Fictitious Name registration, "Raxx") — what is the correct sequence relative to OA execution, IP assignment, and bank account opening?
Is the FinCEN BOI report currently required for MooseQuest LLC (formed 2026-05-22)? Did Northwest file? If not, what is the deadline?
Does the PA DBA registration for "Raxx" create any interaction with the pending USPTO §2(d) conflict for RAXX (Ramp Payment Solutions, Reg. 7779396)?

Sources

Primary — federal law

Investment Advisers Act §202(a)(11), 15 U.S.C. §80b-2: https://www.law.cornell.edu/uscode/text/15/80b-2
SEC Release IA-1092 (1987), three-prong test: https://www.sec.gov/files/rules/interp/1987/ia-1092.pdf
SEC Marketing Rule (Rule 206(4)-1 final rule): https://www.sec.gov/files/rules/final/2020/ia-5653.pdf
SEC April 2026 staff statement on user interfaces and broker-dealer registration: https://www.sec.gov/newsroom/speeches-statements/staff-statement-regarding-broker-dealer-registration-certain-user-interfaces-utilized-prepare-staff-statement-regarding-broker-dealer-registration-certain-user-interfaces-utilized
FTC Act Section 5, 15 U.S.C. § 45: https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act
FTC Endorsement Guides (16 C.F.R. Part 255, revised 2023): https://www.ftc.gov/system/files/ftc_gov/pdf/p204500_endorsement_guides_in_2023.pdf
FTC Fake Reviews Final Rule (August 2024): https://www.ftc.gov/news-events/news/press-releases/2024/08/federal-trade-commission-announces-final-rule-banning-fake-reviews-testimonials
FTC v. IM Mastery Academy (2025): https://www.ftc.gov/news-events/news/press-releases/2025/05/ftc-state-nevada-take-action-against-im-mastery-academy-deceiving-consumers
Lowe v. SEC, 472 U.S. 181 (1985): https://supreme.justia.com/cases/federal/us/472/181/
IRS Form 2553 instructions: https://www.irs.gov/instructions/i2553
IRS Late election relief (Rev. Proc. 2013-30): https://www.irs.gov/pub/irs-drop/rp-13-30.pdf

Primary — Pennsylvania

PA Fictitious Names Act, Title 54 §311: https://law.justia.com/codes/pennsylvania/title-54/chapter-3/section-311/
PA Form DSCB:54-311 ($70 filing fee): https://www.pa.gov/content/dam/copapwp-pagov/en/dos/programs/business/forms/offsite-forms/54-311-App-for-Reg-of-Fict-Name.pdf
PA SaaS sales tax (canned software / digital goods): https://www.pa.gov/agencies/revenue/resources/tax-types-and-information/sales-use-and-hotel-occupancy-tax/canned-computer-software-digital-goods
PA LLC Act, Title 15 Chapter 88: https://www.legis.state.pa.us/cfdocs/legis/LI/consCheck.cfm?txtType=HTM&ttl=15
PA DoBS investment adviser registration: https://www.pa.gov/agencies/dobs/securities/investment-advisers.html
PA UTPCPL (73 P.S. § 201-1 et seq.): https://www.attorneygeneral.gov/wp-content/uploads/2018/02/Unfair_Trade_Practices_Consumer_Protection_Law.pdf
Gregg v. Ameriprise Financial, Inc. (PA Supreme Court, 2021) — strict liability: https://klehr.com/publications/pennsylvania-businesses-are-strictly-liable-for-violations-of-pennsylvanias-unfair-trade-practices-and-consumer-protection-law-the-pennsylvania-supreme-court-holds/

Primary — FinCEN / BOI

FinCEN BOI current guidance: https://www.fincen.gov/boi

Primary — California

CA FTB LLC franchise tax ($800 minimum): https://www.ftb.ca.gov/file/business/types/limited-liability-company/index.html
CA SOS foreign-qualification: https://www.sos.ca.gov/business-programs

Primary — CVE-2026-28289 (FreeScout RCE)

OX Security technical writeup: https://www.ox.security/blog/freescout-rce-cve-2026-28289/
NVD detail: https://nvd.nist.gov/vuln/detail/CVE-2026-28289
Help Net Security: https://www.helpnetsecurity.com/2026/03/05/freescout-vulnerability-cve-2026-28289/
SentinelOne CVE detail: https://www.sentinelone.com/vulnerability-database/cve-2026-28289/

Internal — Raxx codebase (as of 2026-05-29 UTC)

ADR-0107 Strategy Library: docs/architecture/adr/0107-strategy-library.md
ADR-0108 MBT Engine Design: docs/architecture/adr/0108-mbt-engine-design.md
ADR-0109 BYOB Roadmap: docs/architecture/adr/0109-byob-roadmap.md
MBT Securities Attorney Prep: docs/business-legal/mbt-securities-attorney-prep-2026-05-20.md
Marketing Compliance Brief: docs/business/raxx-marketing-compliance-brief-2026-05-27.md
LLC Post-Formation Questions: docs/business/llc-post-formation-questions-2026-05-25.md
Pre-launch punch list: docs/launch/2026-05-23-prelaunch-punch-list.md

Before acting on any item in this document, consult: - A securities attorney licensed in Pennsylvania (Investment Advisers Act §202(a)(11), Exchange Act Section 15(a)) - A consumer-protection attorney with FTC Section 5 + PA UTPCPL experience (marketing copy, disclaimer language) - A PA-admitted business attorney (IP assignment, fictitious-name filing, BOI) - A CPA experienced with PA LLCs, S-Corp elections, and multi-state SaaS revenue (S-Corp deadline, SaaS sales tax)

This document is research and preparation material only. It does not constitute legal advice, tax advice, or investment advice and does not create any professional relationship. Per feedback_human_to_human_drive: copy to Google Drive before any attorney or CPA meeting.