Safety & approvals
Read-only by default. Explicit approvals for every mutating action. Provenance on every claim. Local-first by design.
Axe is opinionated about the boundary between reading and acting. Reading public market state is the default and needs no credential. Anything that mutates an account, places an order, or moves capital goes through an explicit approval surface.
The bias is conservative on purpose: a market operator harness is most valuable when its operators can trust it not to act surprisingly.
The staged rollout
Axe's execution surface unlocks in stages. Each stage has a clear scope and a clear gate to the next.
| Phase | Scope | Mutating actions |
|---|---|---|
| 0. Read-only | Public market data, search, watches, memory | None |
| 1. Preview-only | Render proposed actions; never submit | None |
| 2. Simulation | Run actions against a local simulator | None on real venues |
| 3. Testnet manual | Real venue, real signing, testnet only, every action manually approved | Testnet only |
| 4. Mainnet manual limited | Real venue, mainnet, every action manually approved, per-session limits | Mainnet, gated |
The cockpit shows the current phase explicitly. You always know whether the harness is allowed to act, and at what scope.
Approvals
Every account-mutating action surfaces a structured approval prompt before it runs. The prompt includes:
- The venue and account
- The action and its parameters
- The pre-trade state (balance, exposure, open orders)
- The expected post-trade state
- A hash of the request that the venue will sign against
You either approve, edit, or reject. Approval is per-action by default; per-session approvals are explicit and time-bounded.
Provenance
Every claim Axe makes carries provenance. Every read attaches its source, its timestamp, and a hash of the underlying response. Every action attaches its approval, its hash, and its execution receipt. The audit trail is structured, exportable, and yours.
If a counterparty, an LP, or a future you needs to know what happened in a session, the answer is reconstructible from the ledger.
Local-first by default
The cockpit runs on your machine. Memory lives on your filesystem. The session ledger lives on your filesystem. Hosted surfaces — remote backends, shared runbooks, protocol services — are opt-in and explicit.
This is a privacy posture and a safety posture at once. A harness that defaults to streaming your sessions to a hosted control plane is a harness with a different threat model than the one Axe is built for.
What the harness will never do
- Place an order without a structured, hashed approval
- Move funds across venues without an explicit cross-venue approval
- Ship your session ledger off your machine without an explicit export
- Promise execution behavior that is not implemented in the current phase
If you see Axe doing any of those things, that is a bug. File it.