AI Trading

Vibe Coding Is Not a Risk Control

Vibe coding is useful for prototypes. Trading is not a prototype once orders can route. "It compiled" does not mean "it is safe." A good-looking backtest does not justify live deployment. Use the workflow. Do not skip the gates.

CrossTrade Team

3 min read
Share
Vibe Coding Is Not a Risk Control

Vibe coding is a useful idea. Describe what you want, let an AI agent draft the code, iterate on feedback. For a weekend app or a research notebook, it works fine. For trading, the same phrase can be used as a stand-in for "we shipped without testing." That is not a workflow. That is an account waiting to be lost.

This post is about the line between the two.

Scale across every funded account with the CrossTrade trade copier Learn More

Vibe coding is useful for prototypes

For prototypes, vibe coding is a productivity win. A solo developer can ship more in less time. A non-developer can build something they could not have built. The blast radius of mistakes is small. The cost of iteration is low. The right answer for most weekend code is to vibe code it.

Trading is not a prototype once orders can route

Once a strategy can route orders, every assumption matters. A bug in a weekend app means a UI glitch. A bug in a trading strategy means a fill at the wrong tick, a position you did not intend, a stop that did not fire. On a funded account, a single misbehaving fill can lock the account.

The verification bar is different. The vibe coded draft is not the product.

"It compiled" does not mean "it is safe"

A green compile says the syntax is right. It does not say the logic matches your spec. It does not say the trade list will look the way you expect. It does not say the strategy respects your risk constraints. It does not say the firm's rules permit the workflow.

A compile-only verification gives you false confidence. The next check is the backtest. The check after that is the trade list. The check after that is Sim101 sessions.

"It backtested well" does not mean "it should trade live"

A good-looking backtest can hide a strategy with 12 trades, half of which are outliers. A good-looking sweep can hide a parameter set that fits noise. A good-looking out-of-sample test on the wrong period can hide a regime mismatch.

The discipline is on you to:

  • Require a meaningful trade count.
  • Use realistic commission and slippage.
  • Run an explicit out-of-sample window.
  • Bound parameter sweeps to ranges your spec allows.
  • Re-run the sweep winner as a full single backtest.
  • Read the trade list, not just the metrics.

If you cannot answer "would I trade this manually for a week?" with a confident yes, the backtest is not enough.

Prop firm constraints

Funded accounts add another set of constraints the strategy code does not enforce. Apex Trader Funding's current prohibited activities list bars automation. Topstep permits automated strategies in the Trading Combine with caveats. TakeProfitTrader has news-window prohibitions and a no-counter-positions rule. The strategy that compiled and backtested cleanly will still get flagged by the firm if the firm prohibits the workflow.

The agent can encode firm rules in the system prompt and refuse trades that would violate them. The agent cannot make the firm permit the workflow if the firm does not.

CrossTrade permissions and confirmation model

CrossTrade MCP enforces safety in three layers, none of which is "vibe coded the strategy."

  • OAuth scope. mcp:read physically cannot place orders. mcp:trade can, gated by your prompt.
  • State checks. The recommended prompt requires accounts, positions, orders, summary, and watermarks before any write.
  • Confirmation gates. The agent restates every irreversible action and waits for an explicit user word.

None of these layers is invented at deployment time. They exist before the conversation starts. They are the part vibe coding alone cannot replace.

The minimum viable vibe coding workflow for trading:

  1. Write a clear strategy spec in trader language.
  2. Let the agent draft NinjaScript.
  3. Compile in memory through CrossTrade MCP.
  4. Repair compile errors using LookupNinjaScriptSymbol and GetNinjaScriptHelp.
  5. Write the file only after a green compile and an explicit confirmation.
  6. Backtest through RunStrategyBacktest with realistic commission and slippage.
  7. Apply quantitative gates: profit factor, max drawdown, trade count.
  8. Read the trade list. Confirm it matches the spec.
  9. Run a bounded parameter sweep. Re-run the winner as a single backtest.
  10. Deploy only on Sim101 first. GetDeployedStrategyState must show is_trading: true.
  11. Run on Sim101 for several sessions before considering anything else.
  12. For funded accounts, verify the firm's automation policy before any escalation.

This is not corporate risk theatre. This is the minimum that distinguishes vibe coded experiments from a workflow you can run with real consequences.

Start here

For the safety page with the full layered model, see AI Trading Agent Safety. For firm-specific guardrails, see the Prop Firm Guardrail Generator.

Vibe coding is fine. Vibe deploying is not.