Hoox Docs

๐Ÿ” Secrets & Network Security

Security is the most critical component of the Hoox trading platform. When deploying automated execution scripts, your capital and API credentials must be protected against malicious exploits, unauthorized webhook payloads, and network interceptions.

This guide outlines our Zero Trust security architecture, encrypted secret management procedures, and edge-level firewall protection runbooks.

๐Ÿ›ก๏ธ 1. Zero Trust Network Isolation

Traditional trading systems expose database and exchange execution APIs to the public internet (secured by simple HTTP headers or ports). This creates an active attack surface.

Hoox implements a strict Zero Trust microservice isolation topology:

[Public Internet] โ”€โ”€โ”€โ–บ [Cloudflare WAF / Firewall]
                                โ”‚
                        (IP & Auth Checks)
                                โ”‚
                                โ–ผ
                       [Gateway (hoox)] (Publicly Accessible Node)
                                โ”‚
               โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
               โ”‚ V8 Isolate Service Bindings     โ”‚
               โ”‚ (Private, Encrypted, Zero-TCP)  โ”‚
               โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                                โ”‚
              โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ผโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
              โ–ผ                 โ–ผ                 โ–ผ
       [trade-worker]      [d1-worker]      [agent-worker]
       (No Public URL)   (No Public URL)   (No Public URL)
              โ”‚                 โ”‚                 โ”‚
     (Exchange Orders)   (SQLite Queries)   (AI Risk Audits)
  • No Public Endpoints: The trade-worker, d1-worker, and agent-worker literally do not exist on the public internet. They have no public IP addresses or URLs.
  • V8 Service Bindings: Communication between the public gateway (hoox) and internal compute nodes is routed entirely inside Cloudflareโ€™s secure V8 engine isolates. Your trade routing data, database queries, and private logs never travel over the public internet, eliminating TLS decryption and packet-sniffing risks.

๐Ÿ”‘ 2. Encrypted Secret Management via CLI

API keys, exchange secrets, and Telegram bot tokens are never committed to git repositories or written in plain-text configuration files. Instead, they are stored directly on Cloudflareโ€™s hardware-secured key vaults.

The Hoox CLI features deep encryption integrations to automate secret provisioning:

# 1. Inject a secure exchange credential (e.g. Bybit Secret)
hoox secrets set BYBIT_API_SECRET "your_private_signature_here"

# 2. Check the synchronization status of all required edge secrets
hoox secrets check

The Secrets Diagnostic Report

Running hoox secrets check queries Cloudflareโ€™s API to confirm that the key binding exists on the edge, without ever exposing or decrypting the actual values in your terminal:

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚               Cloudflare Edge Secrets Audit            โ”‚
โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
โ”‚  BYBIT_API_KEY ........... โœ… PRESENT (Active)          โ”‚
โ”‚  BYBIT_API_SECRET ........ โœ… PRESENT (Active)          โ”‚
โ”‚  TELEGRAM_BOT_TOKEN ...... โœ… PRESENT (Active)          โ”‚
โ”‚  OPENAI_API_KEY .......... โš ๏ธ MISSING (Optional)       โ”‚
โ”‚                                                        โ”‚
โ”‚  Audit Result: SECURE (All required secrets bound)     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

๐Ÿงฑ 3. Webhook Firewall & TradingView IP Allow-listing

To ensure that only TradingViewโ€™s official servers can fire signals to your /webhook gateway:

  1. Passkey Verification: The gateway checks the apiKey property inside the JSON payload against your secure manifest in CONFIG_KV.
  2. Cloudflare WAF (Web Application Firewall): Since TradingView publishes their official IP ranges, you can configure Cloudflareโ€™s edge firewall to block all webhook traffic that does not originate from these verified IPs.
# Auto-configure WAF rules to lock the /webhook route to TradingView IPs
hoox waf configure --TradingView-only

๐Ÿ“‹ 4. Security Best Practices Checklist

  • Least Privilege API Keys: When creating API keys on Bybit, Binance, or MEXC, never enable โ€œWithdrawalโ€ permissions. Only check โ€œTradeโ€ and โ€œAccount Readโ€ permissions.
  • Credential Rotation: Automatically rotate your exchange API keys every 90 days. Deleting old keys and injecting new ones takes less than 60 seconds with hoox secrets set.
  • Zero-Commit Rule: Verify that your .env.local and .dev.vars files are registered in your workspaceโ€™s .gitignore file to prevent accidental pushes to public repos.
  • Emergency Response: If you suspect a strategy error or exchange anomaly, immediately halt all execution via the CLI: 
    hoox monitor kill-switch on

๐Ÿ”— Next Steps