Reliability and safety
How Lune stays safe: it rebuilds positions from broker truth on reconnect, blocks double execution, and retries failed exits.
Lune moves real money, so it is built to fail safely. This page explains how Lune keeps your positions correct when a connection drops, how it avoids double execution, and how it recovers a failed exit.
Reconnect, then reconcile, then resume#
Broker connections drop sometimes. A broker restarts, or a session times out. When that happens, Lune does not trust its old in-memory view. It rebuilds your positions from your broker's live state first.
When a connection drops, Lune pauses automations and copying for the affected accounts. Manual trading in the Cockpit is never paused by this.
Lune restores the broker session and confirms it is receiving live updates again.
Lune reads your real open positions from the broker and matches them against its own view before it does anything else.
Only once positions agree with broker truth does Lune resume automation and copying.
This is the difference between acting on stale data and acting on truth. Lune reconciles against your broker before it resumes, so a reconnect never resumes from a wrong position.
Double execution is blocked#
A money platform must never run the same signal twice. Lune uses two-phase deduplication to make sure it does not.
- Inflight lock. When a signal starts, Lune takes a short lock so the same signal cannot run at the same time in two places.
- Completed mark. After a signal finishes, Lune marks it done for a window, so a repeat of the same signal is ignored.
Both marks are stored so they survive a service restart. Lune also builds each event from stable inputs, not from a clock or a random value, so the same broker event always produces the same event and never counts twice.
The Sync Divergence Guard#
If a connection issue causes your positions to drift from broker truth (for example, you flatten at your broker while Lune is disconnected), Lune's Sync Divergence Guard pauses copying and automation for that account. It self-heals once positions are consistent again after reconnection. Manual trading is never affected by the guard.
Failed exits are retried#
An exit can fail during a broker outage. Lune does not drop it. Failed copy exits go into the Failed Exit Queue, held with 7-day retention and retried automatically with a backoff that eases pressure during an outage.
Exit safety is layered. Exit quantity is capped to the follower's current open size, so a copy exit cannot over-close or flip your position by accident.
Restarts are handled gracefully#
When Lune redeploys, it shuts down cleanly. It stops taking new work, lets in-flight orders finish, saves state that needs to survive, and closes broker connections cleanly. On restart, it reconciles against broker truth before resuming, just like any other reconnect.