CushLabs Investment Desk

Overview

A personal, non-advisory decision-support application for self-directed investing. It began as a single static HTML report — the frozen output of one AI analysis session — and was rebuilt as a reproducible, production-grade web app with three integrated surfaces:

1. Daily Portfolio Tracker — live E*TRADE positions and P&L, reconciled to the broker to the penny, with a performance trend over time.
2. Allocation Decision Desk — paste in competing allocation plans and compare them side by side: exposures, constraint breaches, tunable weighted scoring, and an engine-synthesized hybrid that reconciles exactly to your available cash.
3. 401(k) Monitor — a deterministic monitor for a Fidelity plan whose holdings are mostly unlisted collective trusts with no public ticker or API, driven by manual monthly snapshots.

The entire system is governed by one hard rule: deterministic, unit-tested code does every financial calculation; the language model is reserved for judgment (conviction grades, diagnosis, synthesis) and never produces a number that drives a dollar figure. A public marketing site and a fully interactive demo (with fictional data) front the app so it can be evaluated without exposing any real holdings.

The Challenge

• Trust: numbers produced by a language model can't be audited, reproduced, or unit-tested — unacceptable when the output drives real-money decisions.
• Staleness: a hand-built allocation report can't be re-run; prices and account state drift the moment it's made.
• Account grounding: a plan that looks disciplined against new cash can quietly pile onto a theme you already own heavily — concentration has to be read against the whole account.
• Hostile data sources: E*TRADE requires OAuth 1.0a request signing; the 401(k) plan exposes no participant API and holds institutional trusts with no quotable ticker.
• Cost: a naive multi-agent design with per-candidate web search is too expensive to run daily.
• Credibility: the whole thing has to be demonstrable to a reviewer without leaking a private portfolio.

The Solution

A deterministic trust core. All money math lives in pure, unit-tested libraries using integer-cent arithmetic — per-position P&L, exposures, constraint checks, weighted scoring, and plan synthesis. The same engine powers both the live app and the public demo, so the demo is a faithful representation of the product, not a screenshot.

Account-grounded decisioning. The Decision Desk reads live E*TRADE holdings and shows every plan's concentration two ways — as a share of new cash and as a share of the whole post-deploy account — flagging plans that stack onto themes the book already carries. A mandate-as-data constraint engine enforces single-name, speculative, theme, sector, cash, and no-margin limits; the synthesizer builds a constraint-clean hybrid via greedy allocation plus constraint repair, not averaging.

Robust integrations. A zero-dependency OAuth 1.0a client (HMAC-SHA1 from first principles) signs E*TRADE requests and pulls real fills into cost basis. A keyless price feed avoids any API token. The 401(k) monitor takes manual NetBenefits snapshots and uses benchmark-proxy ETFs to estimate balances between statements.

Cost-minimized AI. Daily tracking spends nothing on AI; deep analysis collapses to a single cached, structured model call.

A public face. A marketing landing page and interactive demos (tracker, desk, 401k) run on fictional data fully decoupled from any real plan config, so the product can be reviewed openly while the real account stays behind authentication.

Technical Highlights

• Deterministic / probabilistic split — the model has no data tools and computes no figures; every dollar value and constraint flag is reproducible and tested (46 unit tests).
• Hand-rolled OAuth 1.0a (HMAC-SHA1) — zero-dependency E*TRADE request signing, verified against live servers, with daily-token expiry handled gracefully.
• Parameterized engine reuse — one assembleDeskView / computeSleeve pipeline serves the live app and the demo from different inputs, eliminating duplicated math.
• Mandate-as-data constraints + weighted MCDA scoring — hard/soft caps, live-tunable criterion weights with instant re-ranking and sensitivity, and a greedy + constraint-repair synthesizer.
• Dual-denominator exposure — concentration measured against both new cash and the whole live account, the way a disciplined allocator actually thinks about risk.
• Persist-on-render history — 401(k) snapshots upsert to Neon Postgres by date so a monthly manual model still produces a real trend, no cron required.
• Adaptive data viz — a charting component with range toggles (30D/YTD/6M/12M/2Y/Max), span-aware axis labeling, and mobile scroll affordances (edge fade, sticky identifier column).
• Production hardening — Clerk auth with a public/private route split (marketing at root, app behind /app), fail-loud data pipelines (a bad price or corrupt basis file throws), and deployment-quota-aware CI hygiene.

Results

For the user:

• Daily, glanceable P&L that reconciles to E*TRADE to the penny, with a performance trend.
• A repeatable way to compare allocation plans against real cash and concentration — and a synthesized hybrid that's guaranteed to fit the mandate and reconcile to available cash.
• A 401(k) monitor with glide-path, milestone, and concentration alerts for an account that has no API at all.

Technical demonstration:

• A clean, defensible architecture for trust-sensitive AI applications: deterministic finance math cleanly separated from probabilistic judgment, OAuth 1.0a implemented from first principles, a cost-aware AI design, and a faithful public demo that runs the real engine on fictional data — patterns that transfer to any data-grounded, audit-sensitive product.