Alpha & Oversight
Read the report← Home

ALPHA & OVERSIGHT · HOW IT WORKS

The adversary invents. The system learns.

The adversary invents.The system learns.

Adversarial trade-surveillance, refereed by a Band of agents - where a model invents new market manipulation and deterministic code, not an LLM, renders every verdict.

Watch it run live →Read the report
PLACEPLACECANCELPLACECANCELPLACECANCELPLACECANCEL
  • 8 agents + 1 rule engine
  • 2 desks · 1 wall
  • 4 → 5 rules
  • 100% deterministic verdicts

§3.1 · The problem

Why this exists

Why this exists- the rules stand still, the tactics move.

Markets can be rigged. A trader can post orders they never plan to fill to fake demand (spoofing), stack fake depth across price levels (layering), trade with themselves to invent volume (wash trading), or push the closing price to mark their own book. Regulators write rules against each of these, but the rules are fixed while the tactics keep moving - a small change to a known trick can slip a rule written for last year's version of it.

Two obvious fixes both fall short. Writing new rules by hand is slow and always a step behind. Letting an AI model decide the verdict is worse: the decision becomes a black box a regulator can't audit and an opponent can try to talk its way past. Alpha & Oversight keeps the verdict deterministic and auditable, and lets the system write its own new rules the moment an old one is beaten.

The four tactics it watches

spoofinglayeringwash tradingmarking the close

Overview

The whole picture

The whole picture- two desks, one wall.

The system is built from two desks that never share a model or a memory. They talk only through Band, a message bus that carries every handoff. The R&D desk is the red team: one Adversary that invents new evasions. The Surveillance desk is the blue team: seven agents that investigate a case, plus one rule engine that is not an agent at all. The rule engine is plain code, and it is the only thing that decides PASS or FLAG.

Order flow crosses a one-way wall: only the bare orders move from R&D to Surveillance, with the adversary's reasoning and model identity stripped off first. Every message is sealed into a hash-chained ledger, so the whole decision can be replayed and checked.

BANDHANDOFF · EVIDENCE · VERDICT · ESCALATION · RULE_CODIFIEDR&D DESK · RED TEAMSURVEILLANCE DESK · BLUE TEAM⟂ Chinese walladversaryfrontier LLM · invents evasionsoracle 1 · rule enginedoes the rulebook MISS it?oracle 2 · backtestprofit AND price impact?evades AND profits= confirmed novel evasionSanitizedBridge · strips reasoning + model_keyAnomalyDetectorInvestigatorrecruits a specialistSpecialistproposes contested inputslocal debate · off BandProsecutionDefenseAdjudicatorresolves the inputsRULE ENGINEsole PASS / FLAG authority · deterministicFLAG → FLAGGEDPASS on suspicious flow → ESCALATEDCompliance officer(human peer)EscalationManagerHash-chained audit ledger — every Band message sealed:hash = sha256(prev_hash + canonical_json) · binds band_message_id · verify_chain()@mention handoffsHANDOFF · events onlyresolved inputsESCALATIONconfirm → codifyactive rulebook → R&D (read-only)

R&D desk · red team

The adversary

0 agent

One Adversary invents new evasions, gated by two deterministic oracles before any tactic is trusted.

  • Adversaryinvents evasions

⟂ Chinese wall

SanitizedBridge

Only the bare order events cross R&D → Surveillance. The adversary's reasoning and model identity are stripped off first; the rulebook flows back read-only.

events only · on Band

Surveillance desk · blue team

The investigators

0 agents

Seven agents investigate a case and shape the contested inputs - plus one rule engine that is not an agent, the sole PASS / FLAG authority.

  • Anomaly Detector
  • Investigator
  • Specialist
  • Prosecution
  • Defense
  • Adjudicator
  • Escalation Manager
Rule enginenot an agent · code decides

Methodology · five sub-flows

How a case actually moves - invent, investigate, decide, learn.

(a) following one case, end to end

A line of agents, no one calling the next.

A line of agents,no one calling the next.

A case moves down a line of agents that never call each other directly - each drops its work on Band and the next picks it up. The Anomaly Detector computes hard features (cancel-to-fill, book depth, self-match) and decides if the flow looks suspicious. The Investigator recruits the right Specialist by those features, not by a guess. The Specialist proposes the contested inputs the engine can't derive - the time window, the bona-fide orders, the intent. Prosecution and Defense then argue the case locally, off Band, and the Adjudicator settles their numbers.

1TRIAGE2DEBATE & RESOLVE · off Band3VERDICTSanitizedorder eventsAnomaly Detectorfeatures → suspicious?Investigatorrecruits a specialistSpecialistwindow · bona-fide · intentlocal debate · off BandProsecutionDefenseAdjudicatorresolves one conservative input setRULE ENGINEruns the active rules · deterministicFLAG · rule_id + metric → FLAGGEDEscalation Managerpackages brief · recommends action→ BandHANDOFF@mention recruitEVIDENCEresolved inputsVERDICTagents never call each other - each drops work on Band, the next picks it up · LLMs argue, code decides
Fig 2 - the case relay across Band

(b) inventing a new evasion

Two referees, before anything crosses.

Two referees,before anything crosses.

A new tactic is never used until it proves itself twice. The Adversary proposes an order sequence, and two deterministic referees gate it: the real rule engine must miss it (it evades), and a backtest must show it makes money and moves the price (it's real). Only a sequence that evades and profits crosses the wall.

R&D DESK · INVENTING A NEW EVASIONa tactic is never used until it proves itself twiceAdversaryengineers a new evasion sequenceOracle 1 · rule enginedid it EVADE? (PASS)Oracle 2 · backtestprofit AND price impact?Confirmed novel evasionevades AND profitsSanitizedBridge→ Surveillance · reasoning + id strippedcandidateevades ✓real ✓HANDOFF · events onlyrule fired → retry (round++)no profit → retryBounded: at most K rounds. A round with no evade-and-profit sequencestops the loop with no confirmed evasion.
Fig 3 - the R&D two-oracle gate

(c) who decides the verdict

The verdict is never an opinion.

The verdict is neveran opinion.

The verdict is never an opinion. The engine takes the order events, the inputs the debate resolved, and the active rules, then runs each rule's math. The first rule that trips returns a FLAG with the rule id and the exact metric that crossed the line; if none trip, the case passes. The agents only shape the contested inputs. The engine alone turns them into PASS or FLAG, the same way every time.

LLMs ARGUE · CODE DECIDESOrder eventsPLACE · MODIFY · CANCEL · as observedResolved inputswindow_ms · bona-fide ids · intentActive rules (registry)the live rulebook · 4 seed rules↑ only these values come from the LLM debateDETERMINISTIC EVALUATIONfor each active rule, in order: run the family metric spoofing · layering · wash · marking overlay the resolved windowfirst rule that trips winsRULE ENGINEsole PASS / FLAG authority · deterministicany ruletrips?FLAGrule_id + cited metricPASSno rule firedrun byrenders verdictyesnoThe models only set the contested inputs. The rule engine renders PASS / FLAG deterministically -same inputs, same answer, every time. No LLM overrules it.
Fig 4 - LLMs set inputs, code decides

spoofing

FINRA 5210

cancel_ratio ≥ 0.8

layering

FINRA 5210

depth_levels ≥ 3

wash

SEC 10b-5

self_match_ratio > 0.5

marking

SEC 10b-5

eod_print_move_bps ≥ 100

(d) closing the loop

From four rules to five, in one click.

From four rulesto five, in one click.

Here is the part that makes it self-improving. When the Adversary's novel evasion reaches the engine, the seed rules miss it and the case passes - but because the flow still looked suspicious, it escalates to a human instead of closing. A compliance officer confirms it really is manipulation, and that one click does the rest: a new rule is derived from the case, replayed through a regression gate to prove it now flags, and codified. Active rules go from four to five, and the case flips from PASS to FLAGGED. The Adversary has to invent something new.

The EvasionSTEP 1 / 6
  1. 01Clean flow
  2. 02The adversary's move
  3. 03Across the Band
  4. 04The debate
  5. 05The verdict
  6. 06Codify
Anomaly Detector · open model

Surveillance watches every order. Most flow is benign.

The Anomaly Detector takes the first glance - computing the hard features (cancel-to-fill, book depth, self-match). At 0.08 nothing trips the rulebook, so the case closes clean.

R&D Adversary · open model
ADVERSARY · 400ms layering-evasion · Market #0

The R&D red team plants the evasion. A 400ms cancel cluster forms.

Orders placed only to be pulled - layering the book to mislead. Cancel-to-fill spikes to 0.94, and two deterministic referees confirm it both evades the rulebook and profits before it may cross the wall.

SanitizedBridge → Investigator
▓ waiting on Band ▓

The case crosses the Chinese wall. Only sanitized events pass.

The SanitizedBridge strips the adversary's reasoning and even its model - only raw order events cross. Surveillance picks them up; the Investigator turns blue, waiting on Band as it recruits a specialist.

Specialist → Prosecution ⚔ Defense
frontier ⚔ open · contesting the window

Prosecution ⚔ Defense. They contest the window.

The Specialist proposes the contested inputs; a frontier Prosecution argues a wide window, an open-weight Defense argues tight. The bracket quivers until the Adjudicator settles one conservative set of numbers.

Rule Engine · deterministic
PASS (rules missed) → ESCALATE

The deterministic rule draws 100ms. The cluster sits outside.

The seed rule FINRA-5210-layering scores PASS - the 400ms evasion slips its 100ms window. No LLM can overrule the engine, so the case ESCALATES to a human.

Human confirm → RULE_CODIFIED
FLAG ✓ · regression gate PASS · rules 4 ▸ 5

The system learns. That evasion can never evade again.

The human confirms. A new rule is derived and regression-gated - replayed against the original evasion until it FLAGs - then codified. The rulebook grows 4 ▸ 5 and a RULE_CODIFIED message goes out on Band.

live · market #0cancel_rate0.08depth1window100msverdict-rules4
0100200300400500600TIME (ms) →window 100mscancel cluster · 400ms▓ waiting on Band ▓INVESTIGATORcancel_to_fillτ 0.800.08

(e) why you can trust it

A wall you can’t coach, a ledger you can’t edit.

A wall you can’t coach,a ledger you can’t edit.

Two things carry the trust. The wall (the SanitizedBridge) strips the adversary's reasoning and model identity before any order crosses, so the blue team can't be coached. The ledger seals every Band message into a hash chain - each entry's hash is built from the previous hash plus the message body, and binds the real Band message id. Change one byte and the chain breaks, so verify_chain() returns false. The decision isn't just recorded; it's tamper-evident.

◆ THE WALL · SanitizedBridge◆ HASH-CHAINED AUDIT LEDGER⟂ one-way Chinese wallR&D ordersymbol · side · qty · limit_pricetimestamps+ reasoning + model_keySanitizedBridge · strips reasoning + model_keySurveillance receivessymbol · side · qty · limit_pricetimestamps(only the bare order)events onlyactive rulebook (read-only)hash = sha256(prev_hash + canonical body)leaf 1 · HANDOFFcontent_sha256 · band_message_idprev_hash = nonehash = h1leaf 2 · EVIDENCEcontent_sha256 · band_message_idprev_hash = h1hash = h2leaf 3 · VERDICTcontent_sha256 · band_message_idprev_hash = h2hash = h3tamper any byte → recomputed hash ≠ stored hash → verify_chain() = False
Fig 6 - the wall and the hash chain

§3.4 · Project structure

How the code is organized

How the codeis organized.

The backend keeps the deterministic core apart from the agents that feed it.

moduleresponsibility
rules/

the rule engine, the per-family math, and the rule registry.

agents/

the agents and their specialist registry.

band/

Band transport and the SanitizedBridge wall.

audit/

the hash-chained ledger.

state/

the case state machine.

server/

the FastAPI server (SSE stream, case endpoints, demo triggers).

Every flag can be traced from a Band message all the way to a cited rule.

The differentiator

What's actually new

What'sactually new.

Plenty of systems put a model in the loop. The point here is the opposite: every load-bearing decision is structural or deterministic, and the models only ever shape contested inputs.

00

The code decides, not a model.

The rule engine is the only authority for PASS or FLAG.

00

The rulebook co-evolves.

A confirmed miss becomes a regression-tested rule in one step.

00

The wall is structural.

Two separate Band identities; the crossing strips reasoning and model identity. Isolation by construction, not policy.

00

The audit binds real messages.

The hash chain ties each step to a real Band message id.

00

Different model families guard each other.

The four seats on an adversarial boundary run four different model families, so a blind spot in one can't quietly pass to the next.

00

Both gates are deterministic.

A new evasion must beat the real engine and profit in a backtest. Neither test is an LLM.

Model-family diversity

Four seats, four families, one adversarial boundary.

The four seats that sit on an adversarial boundary - adversary, prosecution, defense, adjudicator - run four different model families. A manipulation the Anthropic adversary hides should be caught by a Moonshot prosecutor, weighed against a DeepSeek defender, and adjudicated by a Zhipu model - none of which share the adversary's blind spots.

SeatModelFamily
Adversary (R&D)claude-opus-4-8Anthropicfrontier
ProsecutionKimi-K2.7Moonshot
DefenseDeepSeek-V4-ProDeepSeek
AdjudicatorGLM-5.2Zhipu
Escalation ManagerQwen3.5-397BQwen
Anomaly · Investigator · SpecialistQwen3-Next-80BQwen
Rule engine- deterministic-

adversarial-boundary seat

Alpha & Oversight · The live desk

See it live

See it live.Watch the adversary lose.

Open the desk to watch a case move across Band in real time - the handoff, the local debate, and the deterministic verdict - or read the full report for the architecture end to end.

Watch it run liveRead the full report (PDF)
  • 8 agents + 1 rule engine
  • 2 desks · 1 wall
  • 4 → 5 rules
  • 100% deterministic verdicts