Roadmap
Phase status. What is shipped, what is pending, what is out of scope.
The Professionals tier is built in phases. This page tracks the actual state of each module.
Phase L0. Protocol foundations (shipped)
Additive. Earlier tiers (Quick Mode, hz.pipe(), hz.run(), paper trading) behave identically. Professional users opt in.
| Module | Provides |
|---|---|
horizon.accounts | Household / Client / Account / Custodian model. InvestmentPolicyStatement. AccountRegistry. |
horizon.audit | Hash-chained event log. SQLite WORM sink. Daily anchor hashes. |
horizon.secrets | Secrets Protocol. EnvSecrets and DictSecrets. |
horizon.calendars | NYSE calendar, AlwaysOpen for crypto, ResolutionCalendar for prediction markets. |
horizon.data.live | LiveFeed Protocol. NullLiveFeed. Shape every concrete feed implements. |
Extended OrderAction | client_order_id, account_id, TIF enum, stop/trail, tax-lot election. See Order lifecycle. |
Extended VenueOrder / VenueFill | Full FIX-style OrderStatus, NBBO snapshots, liquidity flag, exchange of execution, fees and rebates. |
Phase L1. Live execution
Takes the SDK from research platform with a compliance substrate to placing real orders on behalf of a client.
Shipped
| Item | Where |
|---|---|
hz.run(mode="live", feed=..., ...) | horizon/run.py (_run_live). See Live mode. |
| Alpaca venue + WebSocket feed (equities, options, crypto) | horizon/venues/alpaca.py, horizon/data/live/alpaca_ws.py |
| Kalshi venue + WebSocket feed (CFTC event contracts) | horizon/venues/kalshi.py, horizon/data/live/kalshi_ws.py |
| Hyperliquid venue + WebSocket feed (perps, spot) | horizon/venues/hyperliquid.py, horizon/data/live/hyperliquid_ws.py |
| Polymarket venue + WebSocket feed (prediction markets) | horizon/venues/polymarket.py, horizon/data/live/polymarket_ws.py |
CCXT venue + ccxt.pro feed (Binance, Coinbase, Kraken, OKX, …) | horizon/venues/ccxt_venue.py, horizon/data/live/ccxt_ws.py |
IBKR venue via ib_async (equities, options, futures, forex) | horizon/venues/ibkr.py |
| Fill reconciliation against broker positions and open orders | horizon/execution/reconciler.py (VenueLedgerReconciler) |
| Buying-power check (per venue) | horizon/risk/engine.py |
| Reg SHO locate / borrow check | horizon/execution/locates.py (LocateProvider, EasyToBorrowListProvider) |
| PDT gate (FINRA 4210) | horizon/compliance/pdt.py (PDTCounter, PDTGate) |
| IPS gate at order time | horizon/risk/ips_gate.py |
| Bucket limits (issuer, sector, cluster, ADV) | horizon/risk/buckets.py |
| NBBO fat-finger and stale-quote guard | horizon/risk/engine.py |
| Time-in-force enforcement | TimeInForce enum in types.py, honored in executors and venue |
AccountRegistry drives the live loop | horizon/run.py, horizon/accounts/ |
| Block allocation (pro-rata, rotational, random) | horizon/execution/allocation.py. See Allocation. |
| Per-account tax-lot accounting | horizon/state/lots.py (LotBook). See Tax lots. |
| Wash-sale detection, basis adjustments | horizon/state/wash_sale.py |
| Strategy checkpoint round-trip | horizon/state/checkpoint.py |
LiveWatchdog (feed stale, reject streak, intraday loss, min equity, auto-flatten, calendar-driven halt and flatten) | horizon/ops/watchdog.py. See Watchdog. |
| Crash recovery via audit-log replay | horizon/state/recovery.py. See Recovery. |
| Structured JSON logging, per-order correlation ids | horizon/observability/logging.py |
Prometheus metrics + embedded /metrics exporter | horizon/observability/metrics.py. See Metrics. |
| Alerting (Slack, email, PagerDuty, Twilio SMS) with audit-log bridge | horizon/observability/alerts.py. See Alerting. |
Dead-letter queue for failed submits + horizon dlq list/replay/dismiss CLI | horizon/ops/dlq.py, horizon/cli.py. See DLQ. |
| Fee accrual (management, performance, HWM, hurdle) | horizon/accounting/fees.py. See Fees. |
| Client statements (text + JSON) | horizon/reporting/statements.py. See Statements. |
| Performance report (TWR, MWR, Sharpe, Sortino, drawdown, period breakdowns) | horizon/reporting/performance.py. See Performance. |
| Tax packet (1099-B boxes A to F) | horizon/reporting/tax.py. See Tax packets. |
| Best-ex report (Rule 605/606) | horizon/reporting/best_ex.py. See Best execution. |
| HTML rendering (statements, tax packets, best-ex) | horizon/reporting/html.py |
Pending in L1
All venues and operational hooks originally scoped for L1 are shipped. Remaining L1-adjacent work is per-venue polish (bracket/OCO for Alpaca and IBKR, L2 order book reconstruction for Kalshi, web3 balance reads for Polymarket positions). Items are tracked in the per-venue docs’ “Status by phase” tables.
Exit criterion. hz.run(mode="live", accounts=registry, venues={"alpaca": ..., "ibkr": ..., "hyperliquid": ..., "polymarket": ...}) places and reconciles at least one order per asset class against broker sandboxes, and replays the full day from the audit log after a kill -9.
Phase L2. RIA-ready and fund-ready
Shipped ahead of L2
The reporting layer landed early:
- Fees.
- Statements.
- Performance.
- Tax packets.
- Best execution.
- HTML renderers for the above.
Compliance (shipped)
horizon.compliance.suitability. Reg BI rationale attached to each recommendation;AuditCategory.SuitabilityRecordevents with IPS version fingerprinting.horizon.compliance.restrictions. Firm-wide, household, client, and account-scope restricted-securities engine with time windows, block/warn severity, issuer matching, and aRestrictionsGatefor the risk pipeline.horizon.reporting.adv. Form ADV surfaces (regulatory AUM, account / client / household counts, client classification, AUM breakdowns, fee revenue, advisory-service flags).
Additional compliance tooling shipped:
- Audit CLI.
horizon audit verify/stats/replay/export/anchor/enforce-retentionsubcommands. - Retention policy.
RetentionPolicy+LegalHold+RetentionEnforcerwith JSONL destruction log and cryptographic receipts.SQLiteSink.destroy_with_receiptprimitive. - Pre-clearance workflow.
PreClearanceGate+SQLitePreClearanceQueuefor human-in-the-loop approval of sensitive orders.approve/rejecthelpers with optional RBAC gating. Auto-queuesRestrictionSeverity.Warnmatches from the restrictions engine.
Pending in this area: real-time watchlist feed integration.
Security
Shipped:
- RBAC.
horizon.authmodule.Principal/Role/Permission/Policywith Admin, Principal, Trader, ComplianceOfficer, Auditor, Viewer defaults. Wired into pre-clearance approve / reject. Denials auto-logged asAuditCategory.AccessDenied. - PII scrubber in logs.
horizon.observability.logging.PiiScrubber.
Pending:
- Request signing (mTLS / HMAC) for self-built broker integrations.
Fund vehicle (shipped)
horizon.fund. Units, subscriptions, redemptions, daily NAV.AccountSubType.Fundactivated byFundVehiclewrapper.- Fee accrual integration via
vehicle.accrue_fees(...)on top of the existing Fees module. - Lockup enforcement and per-call bypass for administrative redemptions.
- Configurable redemption fee in bps.
- Multi-class funds (
MultiClassFund,FundClass). Class A / I / Founders etc. with per-class fees, hurdles, lockups, minimum subscriptions, and pro-rata NAV allocation by deposited basis.
Pending in this area: capital-call schedules, catch-up in performance fees, in-kind subscriptions and redemptions.
Reporting extensions (shipped)
- Attribution and benchmarks.
BenchmarkComparison(tracking error, information ratio, alpha, beta, R²) andbuild_contribution()(per-strategy, per-sector, or custom grouping). - PDF rendering.
horizon.reporting.pdfwraps WeasyPrint:render_statement_pdf,render_tax_packet_pdf,render_best_ex_pdf. - Dividend, interest, and funding-rate accrual handlers.
horizon.lifecycle.handlers.accruals+PositionLedger.apply_cash_adjustment. See Accruals.
Settlement and corporate actions
- T+1 settlement tracking. Shipped. Per-asset-class rules, business-day math with the NYSE calendar, settled vs. traded quantity queries, cash-account free-rider detection, failed-settlement flagging, audit events (
TradeSettled,SettlementAdvanced,SettlementFailed). - Corporate actions. Shipped. Splits, stock dividends, cash dividends, cash mergers, stock mergers, spin-offs, ticker changes, return of capital. Lot-book adjustments with basis conservation. Audit events (
CorporateAction,DividendAccrued). - Option exercise and assignment. Shipped. Long / short call and put ITM exercise and OTM worthless expiry with IRS-aligned basis adjustments. OCC-symbol parsing. Audit events (
OptionExpiry,OptionAssigned). - Corp-actions data-source integration (Polygon / IBKR / Refinitiv feed ->
CorporateActionobjects). Pending.
Ops
- OpenTelemetry tracing. Shipped.
TracerProtocol +NullTracerdefault +OpenTelemetryTracerlazy-imported. Span opens around everyvenue.submitwith venue/account/market/side/client_order_id attributes. - Deployment artifacts. Shipped. Multi-stage Dockerfile, docker-compose stack (Horizon + Prometheus + Grafana), systemd unit, runbooks (kill switch, feed stale, credential rotation, disaster recovery), Rule 206(4)-4 BCP template.
- Environment separation (dev, stg, prod) with secret isolation.
HorizonConfigloads in precedence order: explicit kwargs > process env ><env>.env>base.env> class defaults. See Config.
Legal templates (pending)
- Form ADV Part 2A / 2B drafts.
- Advisory agreement template.
- Privacy policy (Reg S-P).
- Business Continuity Plan (Rule 206(4)-4).
- Code of Ethics (Rule 204A-1).
- Cybersecurity policy (SEC).
Templates only. Counsel owns the content. The SDK produces the records those documents reference.
Technical exit criterion verified by the tests/test_l2_exam_replay.py suite: after “crashing” the process, a fresh SQLiteSink reader reconstructs the full order blotter, risk-decision log, and best-execution report from the persisted audit log alone; the hash chain verifies end-to-end; a tampered event is detected. The human exit criterion remains a mock SEC exam with counsel producing Rule 204-2 artifacts from the event log, plus a quarterly client statement and tax packet for an SMA and a fund account.
Test coverage further tightened in L2: property-based ledger invariants (equity decomposition, round-trip flat, cash-adjustment linearity, FIFO/HIFO lot ordering) and a fill-dedup / audit-chain atomicity / WORM-trigger rollback suite.
Phase L3. Scale and hardening
- Multi-venue smart router across accounts and asset classes.
- Remaining pre-trade controls (ADV cap variants, remaining concentration variants).
- Block-trade aggregation and rotation for large orders across many accounts.
- Surveillance rules (wash trades, marking the close, spoofing, front-running).
- Stock-loan and fail-to-deliver tracking.
- DR/BCP drill.
- Continuous exam-replay in CI.
- Multi-currency (MiFID II for EU clients).
Phase L4. Externally auditable
- SOC-2 Type 2 readiness.
- Penetration test.
- SEC cybersecurity rule compliance.
- GIPS verification if marketing performance.
- MiFID II full compliance for EU clients.
Out of scope
- Client PII storage. KYC/AML belongs at the custodian. The SDK carries non-PII handles only.
- Form ADV filing. Counsel’s work product. The SDK provides the data that feeds it.
- Fiduciary judgment. The SDK records what was done. It does not decide what should be done.
- Custody arrangements. Whether a custody setup complies with Advisers Act 206(4)-2 is a legal question between the firm, the custodian, and the SEC. Not a property of this library.
Framing
The SDK is technical substrate for a compliance program, not a compliance program. Compliance is a firm-level property: policies, supervision, filings, and people. What this infrastructure provides is that when counsel asks “prove X,” the answer takes minutes, not days.