PitBridge
Join the waitlist

Local-first is not a slogan about privacy. For a trading bridge it is a specific architectural choice with specific consequences: the order route, the checks that gate it, and the credentials that authorize it all live on your machine. Nothing about placing an order requires a round trip through a server you do not control. This changes how the system behaves under normal use and, more importantly, when something goes wrong. The phrase also has a precise origin, so it is worth defining before leaning on it.

What local-first means (and where the term comes from)

The term local-first was coined by the research group Ink & Switch in 2019 to describe software that treats the copy of your data on your own device as the primary copy, rather than as a cache of something that really lives in the cloud. Their argument was about documents and collaboration: you should own your files, keep working offline, and not lose access when a vendor does. PitBridge borrows the ownership principle and applies it to a different object. Here the thing you own and keep primary is not a document, it is the order route: the path an instruction travels from your agent to your broker. We are not claiming the full collaboration stack Ink & Switch described. We take one idea, primacy of the copy on your own hardware, and apply it to execution.

What local-first means for a trading bridge

In a local-first bridge, one daemon on your machine holds three things: the MCP server your agent connects to, the guardrail engine that checks every order, and the keys that authorize trading. Your agent talks to localhost. Orders reach NinjaTrader 8 through a small AddOn running in the platform on the same machine or the same local network. If there is any cloud component, it carries optional telemetry and nothing else, and it is deliberately kept off the order path.

PitBridge architectureEverything on the order path, from the AI agent through the PitBridge daemon and guardrail engine to NinjaTrader 8, runs on your machine. PitBridge cloud sits on the internet, disconnected from the order path, and can only receive opt-in telemetry.your machineAI AGENTmcp / rest clientPITBRIDGE DAEMONlocalhost:8873GUARDRAIL ENGINE12 rules activeNINJATRADER 8Sim101ALLOW buy 2 MES. all rules pass.BLOCK buy 10 MES. size 10 > max_contracts_per_order 2.telemetry only, never ordersinternetPITBRIDGE CLOUDopt-in
solid = order path dashed = optional telemetry

The order route stays inside your machine: agent to localhost daemon to guardrail engine to the NinjaTrader 8 AddOn. PitBridge cloud sits off the path and can only receive opt-in telemetry, never orders.

What actually stays on your machine

Concretely, a short list of components runs inside the daemon on your own hardware, and none of them is reachable from the public internet. The MCP server your agent connects to speaks over stdio or localhost. The guardrail engine is pure and synchronous and runs in the same process. The account book and the day ledger track positions and session P&L locally. The append-only, hash-chained audit log is written to your own disk. And the broker credentials and the pairing token sit in the daemon, never in the agent.

PropertyWhere it runsReachable from the internet?
MCP server (agent surface)localhost daemonno
Guardrail enginein-process, same daemonno
Account book and day ledgerthe daemonno
Hash-chained audit logyour disk (audit.jsonl plus audit.anchor.json)no
Broker credentials and pairing tokenthe daemonno
Optional telemetryopt-in, off the order pathoutbound only, never inbound orders

Where it runs

MCP server (agent surface)
localhost daemon
Guardrail engine
in-process, same daemon
Account book and day ledger
the daemon
Hash-chained audit log
your disk (audit.jsonl plus audit.anchor.json)
Broker credentials and pairing token
the daemon
Optional telemetry
opt-in, off the order path

Reachable from the internet?

MCP server (agent surface)
no
Guardrail engine
no
Account book and day ledger
no
Hash-chained audit log
no
Broker credentials and pairing token
no
Optional telemetry
outbound only, never inbound orders
What lives where. Every part of the order path runs on your own machine and none of it accepts an inbound order from the internet.

The AI-agent threat model local-first addresses

Because the thing driving orders here is a language model, the relevant risk is not only that a vendor gets breached. It is that the agent itself is manipulated. Prompt injection is the standard version of this: untrusted text that lands in the agent’s context, for example a web page it read, a document it summarized, or a message it was asked to process, tries to steer it into emitting an action it should not, such as a rogue place_order.

Local-first narrows what that manipulation can reach. The agent never holds broker credentials and never talks to an execution endpoint. It reaches only localhost, and it can only call the nine MCP tools the daemon exposes: five read-only tools (get_accounts, get_positions, get_orders, get_account_state, get_guardrail_status) and four order tools (place_order, cancel_order, close_position, flatten_account). Risk limits are enforced in code by the guardrail engine, not described in the prompt, so a manipulated prompt cannot widen max_contracts_per_order or release the kill switch. There is deliberately no tool for either.

That bounds the blast radius. A hijacked agent can still propose an order, and an honest reading of the risk says so. What it cannot do is exfiltrate keys, because the keys never enter its context, or reconfigure the guardrails, because the config is not on its surface. Any order it does emit still passes the deterministic engine and cannot exceed the caps you set. The full argument for why the engine is not something the model can talk its way past is in risk controls an LLM cannot override.

Why it matters for money and keys

The order route is the sensitive part of any trading setup, and every party that touches it is a party that can fail you. A cloud relay puts a third party between your agent and your account: another service that can be breached, can go down, can change its terms, or can see your order flow. Local-first removes that party from the path. Because the whole route is on your machine, you can inspect it, log it, and audit it yourself rather than trusting a status page. The credential point is covered above: with no hosted vault holding keys, there is no remote store of trading credentials to breach in the first place.

Latency and failure modes

Two things follow from keeping the path local, and the honest one is about failure, not speed. On latency, a localhost hop plus the platform’s own execution is about as short as the path gets, with no public network segment between your decision and the check. That is a genuine benefit, though it is not the headline, and we do not publish a millisecond number for it.

It helps to know what the alternative path looks like. Cloud-relay and webhook chains are reported by third parties to run end to end, from alert to broker, somewhere around 200 to 800 ms in normal conditions, and TradingView itself describes alert delays of 25 to 45 seconds as normal, with worse backups at the open or on news. Those are third-party figures about relay services, not PitBridge measurements. The structural point stands without any benchmark of our own: the local path has no public network segment to queue behind.

The headline is how the system fails. A local bridge fails closed. If the daemon is not running, no orders pass, full stop. A cloud relay has more failure surface and worse failure modes: if the relay is up but slow, your order sits in someone else’s queue; if it is down, you are locked out of your own account’s automation until they recover.

How the bridge fails closed

Fail-closed is not a slogan here, it is a set of concrete mechanisms, each with a typed reason code you can read in the audit log.

  • LINK_DOWN. Heartbeats run every 5 seconds in both directions. After 15 seconds of silence the AddOn link is considered down, and every order hard-rejects with reason code LINK_DOWN. Nothing queues against a dead link.
  • Reconcile-first. Until an AddOn connects and sends its first account-state snapshot, orders stay blocked. The link is never assumed up, it has to prove itself.
  • KILL_SWITCH. You engage the kill by file, CLI, or REST. Releasing it is CLI-only and is never an agent tool. De-risking (cancel_order, close_position, flatten_account) stays allowed under a kill, so you can always get flat.
  • Daemon down means nothing runs, which means nothing trades. The absence of the bridge is itself the safe state.

Mac, Windows, or both (paired mode mechanics)

Local-first does not mean tied to one operating system. The daemon is cross-platform, so it runs on your Mac or your Windows box. NinjaTrader 8 itself runs on Windows, so if your daily driver is a Mac, paired mode lets the daemon run on the Mac and reach a NinjaTrader instance on a Windows machine on your own network.

Paired mode has a concrete security rule behind it. By default the daemon binds 127.0.0.1, localhost only, so nothing off the machine can reach it. Reaching a Windows NT8 box across your LAN needs a non-localhost bind, and the config refuses that unless two things are both set: paired_mode = true and a configured pairing_token. The AddOn must present that token to link. So paired still means your own machines on your own network, authenticated by a token you generated, never a public endpoint.

config.toml
[daemon]
bind = "127.0.0.1"        # localhost only by default
port = 8873
paired_mode = false       # true, plus pairing_token, required for a non-localhost bind
pairing_token = "pb_pair_..."   # the AddOn must present this to link

A non-localhost bind is refused unless both paired_mode = true and a pairing_token are set. Generate a fresh token with pitbridge pair new.

PitBridge paired modeThe AI agent and the PitBridge daemon run on your Mac. The NT8 add-on and NinjaTrader 8 run on your Windows PC. Orders cross only your local network. The internet enclosure above is empty except for an opt-in telemetry stub, nothing else leaves your machines.internetopt-in telemetry, nothing else leavesyour macPITBRIDGE DAEMONguardrail engine insideAI AGENTmcp / rest clientyour windows pcNT8 ADD-ONws clientNINJATRADER 8Sim101local network
solid = order path dashed = optional telemetry

Paired mode: the daemon and agent on your Mac, NinjaTrader 8 and the AddOn on your Windows PC, with orders crossing only your local network. The internet enclosure stays empty except for opt-in telemetry.

The local-first trading bridge page covers the Mac and paired-mode setup in detail, and the security model documents the localhost bind and the token.

Local-first versus a cloud relay

The trade you are making is convenience for control. A hosted relay can be quicker to set up and takes some operational load off you. What you give up is exactly the thing that matters most on a funded account: a path to your money that no one else sits on. For automation that can place real orders, that is not a close call. Here is the head-to-head.

PropertyLocal-first bridge (PitBridge)Cloud relay or webhook service
Who is on the order pathyour daemon onlya third-party server between agent and account
Where credentials livein the daemon on your machinein a hosted vault you do not control
Failure modefails closed (LINK_DOWN or daemon-down means no orders)order sits in the relay queue, or you are locked out during their outage
Latency pathlocalhost hop plus platform execution, no public segmentalert to relay to broker over the public internet (third-party-reported around 200 to 800 ms, occasionally 25 to 45 s or more at queue backup)
Order-flow visibilityonly youvisible to the intermediary
Auditabilityyour own hash-chained, tamper-evident loga vendor status page
Config and limits under attackenforced in code, no agent tool to change themdepends on vendor controls

Local-first bridge (PitBridge)

Who is on the order path
your daemon only
Where credentials live
in the daemon on your machine
Failure mode
fails closed (LINK_DOWN or daemon-down means no orders)
Latency path
localhost hop plus platform execution, no public segment
Order-flow visibility
only you
Auditability
your own hash-chained, tamper-evident log
Config and limits under attack
enforced in code, no agent tool to change them

Cloud relay or webhook service

Who is on the order path
a third-party server between agent and account
Where credentials live
in a hosted vault you do not control
Failure mode
order sits in the relay queue, or you are locked out during their outage
Latency path
alert to relay to broker over the public internet (third-party-reported around 200 to 800 ms, occasionally 25 to 45 s or more at queue backup)
Order-flow visibility
visible to the intermediary
Auditability
a vendor status page
Config and limits under attack
depends on vendor controls
Latency figures for the cloud-relay column are third-party reported figures about webhook and relay services, not PitBridge measurements. NinjaTrader is a registered trademark of NinjaTrader, LLC. PitBridge is an independent project and is not affiliated with, endorsed by, or sponsored by NinjaTrader, LLC.

Telemetry stays off the order path

The one cloud-adjacent element PitBridge can use is optional telemetry, and it is drawn off the route by design. Telemetry is opt-in and carries operational and health data only, never an order. It leaves the machine outbound, and nothing inbound from it can place, change, or delay a trade. The order path has no dependency on it, so if telemetry is off, misconfigured, or unreachable, orders behave exactly the same. There is no hidden cloud step between your agent and your account.

The guardrails that gate the local order route, the NinjaTrader 8 bridge that carries orders into the platform, and the security model that covers the local token and modes all build on this one choice. Tell us your platform on the waitlist. PitBridge is trading infrastructure, not financial advice.

Read the pillar: Local-first trading bridge

Questions

What does local-first actually mean here?

The MCP server, the guardrail engine and your keys run in a daemon on your own machine. Your agent talks to localhost, orders reach NinjaTrader through a local AddOn, and no order is relayed through a PitBridge server.

Is it safe to give an AI agent access to my trading account?

The agent holds no broker credentials and can only reach a local, guardrailed surface. Risk limits are enforced in code, not in the prompt, so a manipulated prompt cannot widen a limit or release the kill switch. That reduces the blast radius. It does not make any account unhackable.

Can a prompt-injection attack make the agent place a rogue order?

It can try. What it cannot do is widen your limits or release the kill switch, because no tool exists for either, and any order it emits still passes the deterministic guardrail engine and cannot exceed the caps you set.

Where are my API keys and broker credentials stored?

In the daemon on your own machine. They never enter the agent's context and never reach a PitBridge server, so there is no hosted vault of trading credentials to breach.

Is there any cloud component at all?

Any cloud element is for optional telemetry only, drawn off the order route. It never carries an order. The path from agent to platform stays on your machine, which is the property that matters for a trading account.

What is the difference between local-first and a VPS or cloud webhook setup?

A VPS or a webhook relay still puts a machine you rent, or a service you do not control, between your agent and your account. Local-first keeps the order route on hardware you own, with the checks and the keys in the same place.

Does the bridge queue my orders if it reconnects?

No. It fails closed and never replays buffered orders. If the link is down every order hard-rejects with reason_code LINK_DOWN, and until an AddOn connects and sends its first account-state snapshot, orders stay blocked.

What happens if the bridge goes down?

No orders pass. The system fails closed. That is the intended behavior: a bridge that is not running should stop trading, not queue orders somewhere and replay them later.

Can I run it on a Mac?

Yes. The daemon is cross-platform, so it runs on macOS or Windows. In paired mode you can run the daemon on your Mac and reach a NinjaTrader instance on a Windows box on your own network.

PitBridge is in development. NinjaTrader 8 is first.

Tell us your platform and we email you when your setup is supported. Nothing else.