Local-first is not a slogan about privacy. For a trading bridge it is a specific architectural choice with specific consequences: the order route, the checks that gate it, and the credentials that authorize it all live on your machine. Nothing about placing an order requires a round trip through a server you do not control. This changes how the system behaves under normal use and, more importantly, when something goes wrong. The phrase also has a precise origin, so it is worth defining before leaning on it.
What local-first means (and where the term comes from)
The term local-first was coined by the research group Ink & Switch in 2019 to describe software that treats the copy of your data on your own device as the primary copy, rather than as a cache of something that really lives in the cloud. Their argument was about documents and collaboration: you should own your files, keep working offline, and not lose access when a vendor does. PitBridge borrows the ownership principle and applies it to a different object. Here the thing you own and keep primary is not a document, it is the order route: the path an instruction travels from your agent to your broker. We are not claiming the full collaboration stack Ink & Switch described. We take one idea, primacy of the copy on your own hardware, and apply it to execution.
What local-first means for a trading bridge
In a local-first bridge, one daemon on your machine holds three things: the MCP server your agent connects to, the guardrail engine that checks every order, and the keys that authorize trading. Your agent talks to localhost. Orders reach NinjaTrader 8 through a small AddOn running in the platform on the same machine or the same local network. If there is any cloud component, it carries optional telemetry and nothing else, and it is deliberately kept off the order path.
The order route stays inside your machine: agent to localhost daemon to guardrail engine to the NinjaTrader 8 AddOn. PitBridge cloud sits off the path and can only receive opt-in telemetry, never orders.
What actually stays on your machine
Concretely, a short list of components runs inside the daemon on your own hardware, and none of them is reachable from the public internet. The MCP server your agent connects to speaks over stdio or localhost. The guardrail engine is pure and synchronous and runs in the same process. The account book and the day ledger track positions and session P&L locally. The append-only, hash-chained audit log is written to your own disk. And the broker credentials and the pairing token sit in the daemon, never in the agent.
| Property | Where it runs | Reachable from the internet? |
|---|---|---|
| MCP server (agent surface) | localhost daemon | no |
| Guardrail engine | in-process, same daemon | no |
| Account book and day ledger | the daemon | no |
| Hash-chained audit log | your disk (audit.jsonl plus audit.anchor.json) | no |
| Broker credentials and pairing token | the daemon | no |
| Optional telemetry | opt-in, off the order path | outbound only, never inbound orders |
Where it runs
- MCP server (agent surface)
- localhost daemon
- Guardrail engine
- in-process, same daemon
- Account book and day ledger
- the daemon
- Hash-chained audit log
- your disk (audit.jsonl plus audit.anchor.json)
- Broker credentials and pairing token
- the daemon
- Optional telemetry
- opt-in, off the order path
Reachable from the internet?
- MCP server (agent surface)
- no
- Guardrail engine
- no
- Account book and day ledger
- no
- Hash-chained audit log
- no
- Broker credentials and pairing token
- no
- Optional telemetry
- outbound only, never inbound orders
The AI-agent threat model local-first addresses
Because the thing driving orders here is a language model, the relevant risk is not only that a vendor gets breached. It is that the agent itself is manipulated. Prompt injection is the standard version of this: untrusted text that lands in the agent’s context, for example a web page it read, a document it summarized, or a message it was asked to process, tries to steer it into emitting an action it should not, such as a rogue place_order.
Local-first narrows what that manipulation can reach. The agent never holds broker credentials and never talks to an execution endpoint. It reaches only localhost, and it can only call the nine MCP tools the daemon exposes: five read-only tools (get_accounts, get_positions, get_orders, get_account_state, get_guardrail_status) and four order tools (place_order, cancel_order, close_position, flatten_account). Risk limits are enforced in code by the guardrail engine, not described in the prompt, so a manipulated prompt cannot widen max_contracts_per_order or release the kill switch. There is deliberately no tool for either.
That bounds the blast radius. A hijacked agent can still propose an order, and an honest reading of the risk says so. What it cannot do is exfiltrate keys, because the keys never enter its context, or reconfigure the guardrails, because the config is not on its surface. Any order it does emit still passes the deterministic engine and cannot exceed the caps you set. The full argument for why the engine is not something the model can talk its way past is in risk controls an LLM cannot override.
Why it matters for money and keys
The order route is the sensitive part of any trading setup, and every party that touches it is a party that can fail you. A cloud relay puts a third party between your agent and your account: another service that can be breached, can go down, can change its terms, or can see your order flow. Local-first removes that party from the path. Because the whole route is on your machine, you can inspect it, log it, and audit it yourself rather than trusting a status page. The credential point is covered above: with no hosted vault holding keys, there is no remote store of trading credentials to breach in the first place.
Latency and failure modes
Two things follow from keeping the path local, and the honest one is about failure, not speed. On latency, a localhost hop plus the platform’s own execution is about as short as the path gets, with no public network segment between your decision and the check. That is a genuine benefit, though it is not the headline, and we do not publish a millisecond number for it.
It helps to know what the alternative path looks like. Cloud-relay and webhook chains are reported by third parties to run end to end, from alert to broker, somewhere around 200 to 800 ms in normal conditions, and TradingView itself describes alert delays of 25 to 45 seconds as normal, with worse backups at the open or on news. Those are third-party figures about relay services, not PitBridge measurements. The structural point stands without any benchmark of our own: the local path has no public network segment to queue behind.
The headline is how the system fails. A local bridge fails closed. If the daemon is not running, no orders pass, full stop. A cloud relay has more failure surface and worse failure modes: if the relay is up but slow, your order sits in someone else’s queue; if it is down, you are locked out of your own account’s automation until they recover.
How the bridge fails closed
Fail-closed is not a slogan here, it is a set of concrete mechanisms, each with a typed reason code you can read in the audit log.
LINK_DOWN. Heartbeats run every 5 seconds in both directions. After 15 seconds of silence the AddOn link is considered down, and every order hard-rejects with reason codeLINK_DOWN. Nothing queues against a dead link.- Reconcile-first. Until an AddOn connects and sends its first account-state snapshot, orders stay blocked. The link is never assumed up, it has to prove itself.
KILL_SWITCH. You engage the kill by file, CLI, or REST. Releasing it is CLI-only and is never an agent tool. De-risking (cancel_order,close_position,flatten_account) stays allowed under a kill, so you can always get flat.- Daemon down means nothing runs, which means nothing trades. The absence of the bridge is itself the safe state.
Mac, Windows, or both (paired mode mechanics)
Local-first does not mean tied to one operating system. The daemon is cross-platform, so it runs on your Mac or your Windows box. NinjaTrader 8 itself runs on Windows, so if your daily driver is a Mac, paired mode lets the daemon run on the Mac and reach a NinjaTrader instance on a Windows machine on your own network.
Paired mode has a concrete security rule behind it. By default the daemon binds 127.0.0.1, localhost only, so nothing off the machine can reach it. Reaching a Windows NT8 box across your LAN needs a non-localhost bind, and the config refuses that unless two things are both set: paired_mode = true and a configured pairing_token. The AddOn must present that token to link. So paired still means your own machines on your own network, authenticated by a token you generated, never a public endpoint.
[daemon] bind = "127.0.0.1" # localhost only by default port = 8873 paired_mode = false # true, plus pairing_token, required for a non-localhost bind pairing_token = "pb_pair_..." # the AddOn must present this to link
A non-localhost bind is refused unless both paired_mode = true and a pairing_token are set. Generate a fresh token with pitbridge pair new.
Paired mode: the daemon and agent on your Mac, NinjaTrader 8 and the AddOn on your Windows PC, with orders crossing only your local network. The internet enclosure stays empty except for opt-in telemetry.
The local-first trading bridge page covers the Mac and paired-mode setup in detail, and the security model documents the localhost bind and the token.
Local-first versus a cloud relay
The trade you are making is convenience for control. A hosted relay can be quicker to set up and takes some operational load off you. What you give up is exactly the thing that matters most on a funded account: a path to your money that no one else sits on. For automation that can place real orders, that is not a close call. Here is the head-to-head.
| Property | Local-first bridge (PitBridge) | Cloud relay or webhook service |
|---|---|---|
| Who is on the order path | your daemon only | a third-party server between agent and account |
| Where credentials live | in the daemon on your machine | in a hosted vault you do not control |
| Failure mode | fails closed (LINK_DOWN or daemon-down means no orders) | order sits in the relay queue, or you are locked out during their outage |
| Latency path | localhost hop plus platform execution, no public segment | alert to relay to broker over the public internet (third-party-reported around 200 to 800 ms, occasionally 25 to 45 s or more at queue backup) |
| Order-flow visibility | only you | visible to the intermediary |
| Auditability | your own hash-chained, tamper-evident log | a vendor status page |
| Config and limits under attack | enforced in code, no agent tool to change them | depends on vendor controls |
Local-first bridge (PitBridge)
- Who is on the order path
- your daemon only
- Where credentials live
- in the daemon on your machine
- Failure mode
- fails closed (LINK_DOWN or daemon-down means no orders)
- Latency path
- localhost hop plus platform execution, no public segment
- Order-flow visibility
- only you
- Auditability
- your own hash-chained, tamper-evident log
- Config and limits under attack
- enforced in code, no agent tool to change them
Cloud relay or webhook service
- Who is on the order path
- a third-party server between agent and account
- Where credentials live
- in a hosted vault you do not control
- Failure mode
- order sits in the relay queue, or you are locked out during their outage
- Latency path
- alert to relay to broker over the public internet (third-party-reported around 200 to 800 ms, occasionally 25 to 45 s or more at queue backup)
- Order-flow visibility
- visible to the intermediary
- Auditability
- a vendor status page
- Config and limits under attack
- depends on vendor controls
Telemetry stays off the order path
The one cloud-adjacent element PitBridge can use is optional telemetry, and it is drawn off the route by design. Telemetry is opt-in and carries operational and health data only, never an order. It leaves the machine outbound, and nothing inbound from it can place, change, or delay a trade. The order path has no dependency on it, so if telemetry is off, misconfigured, or unreachable, orders behave exactly the same. There is no hidden cloud step between your agent and your account.
The guardrails that gate the local order route, the NinjaTrader 8 bridge that carries orders into the platform, and the security model that covers the local token and modes all build on this one choice. Tell us your platform on the waitlist. PitBridge is trading infrastructure, not financial advice.