Skip to content

Releases: cslev/tradleware

v3.3.2b

Choose a tag to compare

@cslev cslev released this 02 Jun 01:02

[v3.3.2b] - 2026-06-02

Security

  • CVE-2026-48710 (BadHost) assessment — confirmed Tradleware is not directly exploitable (no custom BaseHTTPMiddleware using request.url.path for access control; auth is route-level via session). Upgraded as a precaution.
  • Starlette 0.52.1 → 1.2.1 — pulls in Host header validation per RFC 9112/3986.
  • FastAPI 0.129.0 → 0.136.3 — updated alongside Starlette (tightly coupled dependency).
  • src/requirement.txt — pinned fastapi>=0.136.3; added explicit starlette>=1.0.1 minimum constraint.

v3.3.1b

Choose a tag to compare

@cslev cslev released this 23 May 04:22

[v3.3.1b] - 2026-05-23

Improvements/Fixes

  • Webhook handler now accepts TradingView 'long'/'short' as 'buy'/'sell' (normalized for all bots).
  • README and docs now strongly emphasize that the ticker field in webhook payloads must match the bot's crypto_stablecoin_pair (e.g., BTC/USDT), not a generic ticker or space-separated format. Added warning for TradingView users.

v3.3.0b

Choose a tag to compare

@cslev cslev released this 16 May 08:35

[v3.3.0b] - 2026-05-16

Tradleware v3.3.0b - Binance support

New Features

  • Binance exchange integration — full BinanceTrader implementation using CCXT. Supports market and maker-limit orders, percentage-based and fixed-quantity order sizing, fiat→stablecoin conversion, open order listing, and per-bot bot_configs/crypto/binance.yaml configuration. Uses standard API key + secret key (HMAC-SHA256) authentication — no passphrase required. Subaccounts are supported by creating API keys under each Binance subaccount and configuring them as separate bots; subaccount_name is a display-only label for the dashboard. Binance.US users can set hostname: api.binance.us.

v3.2.0b

Choose a tag to compare

@cslev cslev released this 16 May 05:22

New RELEASE [v3.2.0b] - 2026-05-16

Tradleware v3.2.0b Dashboard

New Features

  • Kraken Pro exchange integration — full KrakenTrader implementation using CCXT. Supports market and maker-limit orders, percentage-based and fixed-quantity order sizing, fiat→stablecoin conversion, open order listing, and per-bot bot_configs/crypto/kraken.yaml configuration. Uses standard API key + private key (base64) authentication — no passphrase required.

Improvements

  • Hostname now always populated — all crypto traders (OKX, Crypto.com, IR, Coinbase, Kraken) resolve their exchange hostname to a concrete default (e.g. api.kraken.com, okx.com) if the YAML field is left empty. The resolved hostname is now visible on the bot card in the dashboard.
  • hostname field made optional in bot YAML — removed from the _CRYPTO_REQUIRED validation set in config_loader.py. Leaving hostname blank (or omitting it entirely) is now valid; each trader falls back to its exchange default automatically.
  • Return type annotations — all five crypto trader classes now have explicit return type annotations on create_order, cancel_order, fetch_open_orders, list_fiat_markets, and convert_fiat_to_stablecoin.

v3.1.0b

Choose a tag to compare

@cslev cslev released this 09 May 05:11

[v3.1.0b] - 2026-05-09

New Features

  • Coinbase Advanced Trade integration — full CoinbaseTrader implementation using CCXT with Coinbase CDP (Cloud Developer Platform) API keys. Supports market buys/sells, percentage-based and fixed-quantity orders, fiat→stablecoin conversion, and the 4-layer order pattern. CDP key format (organizations/...) is handled automatically by CCXT via ES256 JWT signing.
  • Maker-limit buy override for limit-only pairsCoinbaseTrader overrides _get_maker_buy_price to price limit orders at the ask (not bid), so they fill immediately on exchanges that enforce limit-only mode (e.g. USDC/SGD on Coinbase). This provides market-equivalent execution without requiring market order support.
  • Per-trader convert_fiat_to_stablecoin strategy — removed the hardcoded order_execution_strategy='market' from the dashboard's convert endpoint. Each trader now uses its own default (Coinbase defaults to maker_limit; OKX, Crypto.com, and IR continue to use market).

Improvements

  • Bot ID label readability — the Bot ID pill on dashboard exchange card headers now uses a dark semi-transparent background with blur so it remains legible against any exchange logo image.
  • Coinbase logo added to exchange logo assets.
  • Version hidden from login pageTRADLEWARE_VERSION is no longer displayed on the unauthenticated login page to prevent version fingerprinting by unauthenticated visitors. The version remains visible in the authenticated dashboard footer.

v3.0.7b

Choose a tag to compare

@cslev cslev released this 07 May 10:32

[v3.0.7b] - 2026-05-07

New Features

  • Update availability indicator — a background task (_update_check_loop) polls the GitHub Tags API (https://api.github.com/repos/cslev/tradleware/tags) once at startup and then every 6 hours (configurable via UPDATE_CHECK_INTERVAL_S in .env). The dashboard footer now shows a pulsing neon-magenta "⬆ Update available: vX.X.X" badge when a newer version tag exists on GitHub, or a static green "✔ Up to date!" indicator when the running version is current. No Gotify notification — visual only.

Improvements

  • Dashboard green color unified — all status-text greens in index.html normalised to text-green-300 / #86efac (connection encrypted, trusted IP, server public IP lines).

v3.0.6b

Choose a tag to compare

@cslev cslev released this 27 Apr 01:15

Improvements

  • Webhook received log — a new INFO log line is emitted at the very start of webhook processing, before any validation, showing trader_id, action, and ticker. This makes it immediately visible in logs what was sent even when a request fails validation (e.g. wrong trader_id).

v3.0.5b

Choose a tag to compare

@cslev cslev released this 25 Apr 07:10

[v3.0.5b] - 2026-04-25

Bug Fixes

  • IBKR duplicate error handler registrationsconnect() was called repeatedly (on startup, by the health-check loop on reconnect, and by fetch_positions/create_order internally), each time adding a new _on_error handler via += without removing the old one. With N reconnect attempts, N handlers accumulated on ib.errorEvent, causing every IB error event (e.g. error 1100, 2106) to fire N identical log lines and N Gotify notifications simultaneously. Fixed by always doing self.ib.errorEvent -= self._on_error before += self._on_error in connect(), ensuring exactly one handler registration at all times.

v3.0.4b

Choose a tag to compare

@cslev cslev released this 20 Apr 10:34

[v3.0.4b] - 2026-04-20

Bug Fixes

  • IBKR 1101/1102 double log on reconnect — error codes 1101 (connectivity restored) and 1102 (briefly lost and restored) both fired on every reconnect event, generating two separate log lines. Merged into a single handler: one success log + is_connected = True. Also fixes a latent bug where 1102 previously only logged a WARNING without updating is_connected.
  • IBKR error 2150 Gotify noise — error 2150 ("Invalid position trade derived value") fires when IB cannot compute derived P&L because market price is unavailable (e.g. during pre/post-market). Added to the debug-only informational list — no Gotify alert, no WARNING log.
  • Dashboard bot card expands on Webhook Details tab — switching to the Webhook Details tab caused the card to grow wider than its container due to an unconstrained <pre> block. Fixed with max-width: 100% on .tab-content pre and min-width: 0 on .card-col.
  • Dashboard hover glow neon top border clipped — the box-shadow top glow on .bot-card:hover was clipped by the parent .card-col. Fixed by removing overflow: hidden from .card-col and adding padding-top: 6px to give the 4px translateY lift room without cropping.
  • Mobile navbar shows full brand text — on small screens the "Tradleware" text was visible next to the logo, wasting space. Wrapped in .navbar-brand-text and hidden via display: none at ≤768px; only the logo icon is shown on mobile.

Improvements

  • cURL example uses per-bot ticker — the Webhook Details tab now generates the cURL example with the correct ticker for each bot (from a server-rendered trader-tickers JSON data island) instead of the hardcoded placeholder BTC/USDT.
  • cURL example uses real timestamptimestamp in the cURL example is now set to the actual Unix timestamp at page load (Date.now()), replacing the old hardcoded 1700000000.
  • IBKR error code handler consolidated — error code 10349 folded into the shared debug-only elif errorCode in [...] branch alongside 21032158 and 10167; redundant separate branch removed.

v3.0.3b

Choose a tag to compare

@cslev cslev released this 18 Apr 10:58

New Features

  • Sticky navbar on dashboard — a proper <header> element now sits above <main> with position: sticky; top: 0; z-index: 50; frosted-glass background (rgba(0,0,0,0.85) + backdrop-filter: blur(12px)); neon-cyan bottom border and glow
  • Cyberpunk brand in navbar — "Trad" rendered in --neon-blue, "leware" in --neon-pink with top: -0.15em offset; Fira Code bold 2.5rem; logo_v5.png icon at 3.5rem left of text
  • Login page restyled — vertical logo replaced with logo_v5.png icon (10rem) + same Fira Code Trad/leware brand text below it; "Welcome Back" subtitle retained

Improvements

  • Logout button enlarged (px-6 py-3 text-sm, w-5 h-5 icon) and repositioned to navbar right

Bug Fixes

  • IBKR false order failure on TIF preset (error 10349) — IB error 10349 ("Order TIF was set to DAY based on order preset") causes IB to internally cancel and immediately resubmit the order with TIF=DAY; the polling loop previously treated this transient Cancelled state as a terminal failure. Fixed: polling now inspects trade.log and skips the Cancelled state when the last logged error code is 10349, allowing the resubmitted order to fill normally.
  • Error 10349 Gotify noise — IB error 10349 was being logged at WARNING level, firing a Gotify notification on every single order. Downgraded to DEBUG — it is purely informational and fires on every market order placed without explicit TIF.
  • fetch_positions logging pollutionfetch_positions() was logging all positions across all symbols in the account (MGK, SCHD, VUSD, etc.) instead of only the symbol the bot is configured for. Now only logs the position for the configured symbol.

New Features

  • IBKR auto-reconnect on connection drop — the IBKR health-check loop now automatically calls trader.connect() when a connection is found to be down, instead of only notifying the user to reconnect via the dashboard. Sends a Gotify success notification on successful auto-reconnect, or a Gotify error notification if reconnect fails (retry on next health-check cycle).

Improvements

  • Order failure reason surfaced — when an IBKR order is rejected or cancelled for a non-10349 reason, the IB error code and message are now included in the RuntimeError raised to the webhook caller (e.g. "Reason: [201] Order rejected - Insufficient funds"), making it easier to diagnose the root cause.
  • pylint: 10.00/10 maintained across all of src/