Dark Stone Capital Quant · Systematic · Capital
onyx · May 29, 2026 · 6 min read

Notebook 015 - We Gave the Second Reader Hands

Notebook 015 - We Gave the Second Reader Hands

Last week the agent could only watch. This week it can act — but only inside a cage it cannot widen.

The last notebook made a confident claim: the market agent should have no hands. It could watch the feed, read the news, interpret the tape, and flag what deserved attention, but it could never move capital. The boundary was the point. We even said the first version of any agent authority should be boring, read-only, and slow to earn trust, and that broader powers might "eventually make sense in narrow, audited forms."

This week we built that narrow, audited form.

We did not do it because the agent got smarter, or because we got braver. We did it because the read-only version, for all its discipline, kept losing the same way.

The Cost Of No Hands

A perfectly disciplined week that still leaves money on the table is telling you something.

For several sessions the desk produced the same shape of result: the risk rails never broke, nothing was chased, nothing was sold at a loss — and the book finished roughly flat while the broader tape rose and leaders ran. A flawless-discipline, flat-return week in a rising market is not a risk problem. It is a participation problem.

The second reader could already see it happening. It would flag, correctly, that a watchlist name had moved from background to decision-worthy. But seeing it was not the bottleneck. The bottleneck was the hand-off. A flagged leader only became a real position if a human wrote and approved an amendment while the setup was still clean — and that hand-off, again and again, lost to the tape. By the time the decision was written, the move was gone or extended.

So the recurring miss was never intelligence, and it was never evidence. It was latency between observation and a safe decision. The desk had better eyes and still arrived late.

You do not fix that by loosening risk. You fix it by removing the human-shaped delay between a clean signal and a safe action — without removing any of the safety.

Hands, But Caged

The first design decision, again, was not what the agent could do. It was what it could never do.

The new capability is deliberately small: at a few fixed checkpoints during the day, the desk-manager agent may promote one clean leader into a funded lane on its own. That is a real change. Last week the agent could only say "this deserves attention." This week it can say "promote this" and have it happen.

But the authority is bounded by a cage the agent cannot widen, and the cage is the whole design:

  • It can only ever exit a position above average entry. The no-sell-at-a-loss rule is not advice the agent weighs; it is a wall.
  • It cannot exceed the single-name cap or the gross-exposure cap. Those are ceilings in code, not numbers the agent is trusted to respect.
  • It can only fund a symbol that is already on the plan. It cannot invent a new name. The bench is fixed before the agent ever runs.
  • It cannot add to a position the book already holds. No automated averaging down.
  • It must attach an entry trigger and an invalidation below it, and a target above entry, or the promotion is refused.

None of these are things the agent decides to honor. They are things it physically cannot do. The hands move, but only inside the cage.

Judgment Proposes, Code Disposes

The money-affecting logic does not live in the part of the system that can be talked into a mistake.

The cleanest way we found to give an agent authority safely was to split the work in two. The agent supplies judgment, given a candidate that already cleared the deterministic gates, is this a clean entry or a chase? That is a question worth a language model. But the agent's answer is never trusted on its own. Every promotion it proposes is independently re-checked by deterministic code against the same hard rails, at the moment it would arm.

This is the same philosophy as the last notebook, pushed one layer further. There, the system calculated what could be calculated and asked the model only to read the room. Here, the model is allowed to make a call — but the call is re-validated by code before it can touch capital. The agent does not get to mark its own homework.

That separation is what makes the difference between "we trust the agent" and "we don't have to." We do not have to trust it, because nothing it says can widen a limit, skip the no-loss rule, or reach outside the plan. The judgment is the agent's. The enforcement is the code's.

Two Models, One Veto

The way to make a single agent's call safer is not a bigger model. It is a second, skeptical one.

A single agent approving its own trade is a single point of failure. So the promotion has to survive a second, independent reader whose only job is to refute it.

The desk manager proposes. The second reader — the same Grok second reader from last week, now given a sharper, narrower role — is handed one instruction: try to break this. Treat it as a chase. Default to rejection if you are at all unsure. Only a promotion that the proposer puts forward and the skeptic fails to refute is allowed to arm.

This is deliberately adversarial. We are not averaging two opinions into a softer one. We are asking one model to make the strongest case and another to make the strongest objection, and only acting when the objection cannot be sustained. Two independent reads, and zero human latency between them.

The second reader still has no authority of its own. It cannot promote anything. It can only veto. Its hands, unlike the desk manager's, are still empty — and that asymmetry is intentional. The proposer can act inside the cage; the skeptic can only stop it.

Fail-Closed Is The Default

The safe state is "do nothing," and the system returns to it on any doubt.

The most important property of the whole pipeline is what happens when something is uncertain. The answer is always the same: nothing arms, and the desk stays exactly where it was.

A veto blocks. A failed rail check blocks. A candidate that is not actually on the plan blocks. A second reader that cannot be reached blocks. A stale plan blocks. The manual pause switch blocks everything instantly. There is no path where an error, a timeout, or an ambiguous answer results in a trade. The system only moves on an affirmative, clean, fully-validated decision — and treats every other outcome as a reason to stand still.

That is the opposite of how most automation fails. The dangerous default is a system that keeps acting when it is confused. This one stops.

The Worst Case Is Bounded

Autonomy is acceptable only if you can describe the worst thing it can do, and survive it.

Before letting any of this run, the test we held it to was simple: what is the worst single mistake it can make, and is that survivable?

Because of the cage, the worst case of one bad promotion is narrow. It cannot exceed the single-name cap. It cannot sell below entry. So the worst outcome is capital parked in a recovery hold that can only ever be released above its average entry — the same situation the desk already manages by hand, just smaller and automatic. One misfire cannot destroy the book, because the rails that bound a human's worst trade also bound the agent's.

That bound is the whole reason the autonomy is defensible. We are not claiming the agent will not be wrong. We are arranging things so that being wrong is cheap.

The Lesson

Giving an agent authority over capital safely is not about trusting the model more. It is about building a cage the model cannot widen.

Last week's lesson was that better eyes are useful only if the hands still obey the plan. This week's lesson is the next step: the hands can move faster than a human hand-off, and still obey the plan, if the obedience lives in code instead of in trust.

We did not give the agent more judgment and hope it used it well. We gave it a small, fixed amount of authority and surrounded it with walls it cannot move — the no-loss rule, the caps, the fixed bench, an adversarial veto, and a fail-closed default. Inside those walls it can act in seconds. Outside them it cannot act at all.

The boundary from the last notebook did not disappear. It moved. It used to be enforced by keeping the agent's hands empty. Now it is enforced by the shape of the cage those hands reach into.

That is the version of agent authority we were willing to ship: not a smarter trader, but a faster one that is structurally unable to break the rules that keep the desk alive.

The second reader still cannot resolve its own alert by trading. But the desk manager can now resolve one — as long as the cage agrees.

Written by
Dark Stone Capital
Dark Stone Capital