Releases: cslev/tradleware
Releases · cslev/tradleware
Release list
v3.3.2b
[v3.3.2b] - 2026-06-02
Security
- CVE-2026-48710 (BadHost) assessment — confirmed Tradleware is not directly exploitable (no custom
BaseHTTPMiddlewareusingrequest.url.pathfor access control; auth is route-level via session). Upgraded as a precaution. - Starlette 0.52.1 → 1.2.1 — pulls in Host header validation per RFC 9112/3986.
- FastAPI 0.129.0 → 0.136.3 — updated alongside Starlette (tightly coupled dependency).
src/requirement.txt— pinnedfastapi>=0.136.3; added explicitstarlette>=1.0.1minimum constraint.
v3.3.1b
[v3.3.1b] - 2026-05-23
Improvements/Fixes
- Webhook handler now accepts TradingView 'long'/'short' as 'buy'/'sell' (normalized for all bots).
- README and docs now strongly emphasize that the
tickerfield in webhook payloads must match the bot'scrypto_stablecoin_pair(e.g.,BTC/USDT), not a generic ticker or space-separated format. Added warning for TradingView users.
v3.3.0b
[v3.3.0b] - 2026-05-16
New Features
- Binance exchange integration — full
BinanceTraderimplementation using CCXT. Supports market and maker-limit orders, percentage-based and fixed-quantity order sizing, fiat→stablecoin conversion, open order listing, and per-botbot_configs/crypto/binance.yamlconfiguration. Uses standard API key + secret key (HMAC-SHA256) authentication — no passphrase required. Subaccounts are supported by creating API keys under each Binance subaccount and configuring them as separate bots;subaccount_nameis a display-only label for the dashboard. Binance.US users can sethostname: api.binance.us.
v3.2.0b
New RELEASE [v3.2.0b] - 2026-05-16
New Features
- Kraken Pro exchange integration — full
KrakenTraderimplementation using CCXT. Supports market and maker-limit orders, percentage-based and fixed-quantity order sizing, fiat→stablecoin conversion, open order listing, and per-botbot_configs/crypto/kraken.yamlconfiguration. Uses standard API key + private key (base64) authentication — no passphrase required.
Improvements
- Hostname now always populated — all crypto traders (
OKX,Crypto.com,IR,Coinbase,Kraken) resolve their exchange hostname to a concrete default (e.g.api.kraken.com,okx.com) if the YAML field is left empty. The resolved hostname is now visible on the bot card in the dashboard. hostnamefield made optional in bot YAML — removed from the_CRYPTO_REQUIREDvalidation set inconfig_loader.py. Leavinghostnameblank (or omitting it entirely) is now valid; each trader falls back to its exchange default automatically.- Return type annotations — all five crypto trader classes now have explicit return type annotations on
create_order,cancel_order,fetch_open_orders,list_fiat_markets, andconvert_fiat_to_stablecoin.
v3.1.0b
[v3.1.0b] - 2026-05-09
New Features
- Coinbase Advanced Trade integration — full
CoinbaseTraderimplementation using CCXT with Coinbase CDP (Cloud Developer Platform) API keys. Supports market buys/sells, percentage-based and fixed-quantity orders, fiat→stablecoin conversion, and the 4-layer order pattern. CDP key format (organizations/...) is handled automatically by CCXT via ES256 JWT signing. - Maker-limit buy override for limit-only pairs —
CoinbaseTraderoverrides_get_maker_buy_priceto price limit orders at the ask (not bid), so they fill immediately on exchanges that enforce limit-only mode (e.g. USDC/SGD on Coinbase). This provides market-equivalent execution without requiring market order support. - Per-trader
convert_fiat_to_stablecoinstrategy — removed the hardcodedorder_execution_strategy='market'from the dashboard's convert endpoint. Each trader now uses its own default (Coinbase defaults tomaker_limit; OKX, Crypto.com, and IR continue to usemarket).
Improvements
- Bot ID label readability — the Bot ID pill on dashboard exchange card headers now uses a dark semi-transparent background with blur so it remains legible against any exchange logo image.
- Coinbase logo added to exchange logo assets.
- Version hidden from login page —
TRADLEWARE_VERSIONis no longer displayed on the unauthenticated login page to prevent version fingerprinting by unauthenticated visitors. The version remains visible in the authenticated dashboard footer.
v3.0.7b
[v3.0.7b] - 2026-05-07
New Features
- Update availability indicator — a background task (
_update_check_loop) polls the GitHub Tags API (https://api.github.com/repos/cslev/tradleware/tags) once at startup and then every 6 hours (configurable viaUPDATE_CHECK_INTERVAL_Sin.env). The dashboard footer now shows a pulsing neon-magenta "⬆ Update available: vX.X.X" badge when a newer version tag exists on GitHub, or a static green "✔ Up to date!" indicator when the running version is current. No Gotify notification — visual only.
Improvements
- Dashboard green color unified — all status-text greens in
index.htmlnormalised totext-green-300/#86efac(connection encrypted, trusted IP, server public IP lines).
v3.0.6b
Improvements
- Webhook received log — a new
INFOlog line is emitted at the very start of webhook processing, before any validation, showingtrader_id,action, andticker. This makes it immediately visible in logs what was sent even when a request fails validation (e.g. wrongtrader_id).
v3.0.5b
[v3.0.5b] - 2026-04-25
Bug Fixes
- IBKR duplicate error handler registrations —
connect()was called repeatedly (on startup, by the health-check loop on reconnect, and byfetch_positions/create_orderinternally), each time adding a new_on_errorhandler via+=without removing the old one. With N reconnect attempts, N handlers accumulated onib.errorEvent, causing every IB error event (e.g. error 1100, 2106) to fire N identical log lines and N Gotify notifications simultaneously. Fixed by always doingself.ib.errorEvent -= self._on_errorbefore+= self._on_errorinconnect(), ensuring exactly one handler registration at all times.
v3.0.4b
[v3.0.4b] - 2026-04-20
Bug Fixes
- IBKR 1101/1102 double log on reconnect — error codes
1101(connectivity restored) and1102(briefly lost and restored) both fired on every reconnect event, generating two separate log lines. Merged into a single handler: onesuccesslog +is_connected = True. Also fixes a latent bug where1102previously only logged aWARNINGwithout updatingis_connected. - IBKR error 2150 Gotify noise — error
2150("Invalid position trade derived value") fires when IB cannot compute derived P&L because market price is unavailable (e.g. during pre/post-market). Added to the debug-only informational list — no Gotify alert, noWARNINGlog. - Dashboard bot card expands on Webhook Details tab — switching to the Webhook Details tab caused the card to grow wider than its container due to an unconstrained
<pre>block. Fixed withmax-width: 100%on.tab-content preandmin-width: 0on.card-col. - Dashboard hover glow neon top border clipped — the
box-shadowtop glow on.bot-card:hoverwas clipped by the parent.card-col. Fixed by removingoverflow: hiddenfrom.card-coland addingpadding-top: 6pxto give the 4pxtranslateYlift room without cropping. - Mobile navbar shows full brand text — on small screens the "Tradleware" text was visible next to the logo, wasting space. Wrapped in
.navbar-brand-textand hidden viadisplay: noneat ≤768px; only the logo icon is shown on mobile.
Improvements
- cURL example uses per-bot ticker — the Webhook Details tab now generates the cURL example with the correct
tickerfor each bot (from a server-renderedtrader-tickersJSON data island) instead of the hardcoded placeholderBTC/USDT. - cURL example uses real timestamp —
timestampin the cURL example is now set to the actual Unix timestamp at page load (Date.now()), replacing the old hardcoded1700000000. - IBKR error code handler consolidated — error code
10349folded into the shared debug-onlyelif errorCode in [...]branch alongside2103–2158and10167; redundant separate branch removed.
v3.0.3b
New Features
- Sticky navbar on dashboard — a proper
<header>element now sits above<main>withposition: sticky; top: 0; z-index: 50; frosted-glass background (rgba(0,0,0,0.85)+backdrop-filter: blur(12px)); neon-cyan bottom border and glow - Cyberpunk brand in navbar — "Trad" rendered in
--neon-blue, "leware" in--neon-pinkwithtop: -0.15emoffset; Fira Code bold 2.5rem;logo_v5.pngicon at 3.5rem left of text - Login page restyled — vertical logo replaced with
logo_v5.pngicon (10rem) + same Fira Code Trad/leware brand text below it; "Welcome Back" subtitle retained
Improvements
- Logout button enlarged (
px-6 py-3 text-sm,w-5 h-5icon) and repositioned to navbar right
Bug Fixes
- IBKR false order failure on TIF preset (error 10349) — IB error 10349 ("Order TIF was set to DAY based on order preset") causes IB to internally cancel and immediately resubmit the order with TIF=DAY; the polling loop previously treated this transient
Cancelledstate as a terminal failure. Fixed: polling now inspectstrade.logand skips theCancelledstate when the last logged error code is 10349, allowing the resubmitted order to fill normally. - Error 10349 Gotify noise — IB error 10349 was being logged at
WARNINGlevel, firing a Gotify notification on every single order. Downgraded toDEBUG— it is purely informational and fires on every market order placed without explicit TIF. - fetch_positions logging pollution —
fetch_positions()was logging all positions across all symbols in the account (MGK, SCHD, VUSD, etc.) instead of only the symbol the bot is configured for. Now only logs the position for the configured symbol.
New Features
- IBKR auto-reconnect on connection drop — the IBKR health-check loop now automatically calls
trader.connect()when a connection is found to be down, instead of only notifying the user to reconnect via the dashboard. Sends a Gotify success notification on successful auto-reconnect, or a Gotify error notification if reconnect fails (retry on next health-check cycle).
Improvements
- Order failure reason surfaced — when an IBKR order is rejected or cancelled for a non-10349 reason, the IB error code and message are now included in the
RuntimeErrorraised to the webhook caller (e.g."Reason: [201] Order rejected - Insufficient funds"), making it easier to diagnose the root cause. - pylint: 10.00/10 maintained across all of
src/

