diff --git a/README.md b/README.md index a4bfa21..a95f9e2 100644 --- a/README.md +++ b/README.md @@ -51,6 +51,147 @@ def run_colab(): ``` +## Security Warnings & Safe Usage Guide + +### Critical Security Issues + +**This notebook contains hardcoded API credentials that must be addressed before use.** + +#### 1. Exposed API Credentials (CRITICAL) + +The notebook contains multiple Alpaca API key/secret pairs in plain text. These credentials are compromised and should **never be used**. Look for code like: + +```python +trading_client = TradingClient('AKBX22ZJIYXAAD7YPOB0', 'secret_key_here', paper=False) +``` + +#### 2. Live Trading Enabled (CRITICAL) + +Some cells have `paper=False` which enables **real money trading**. Running these cells will execute actual market orders. + +#### 3. No Trading Safeguards + +The code lacks: +- Position size limits +- Maximum loss limits +- Circuit breakers +- Manual approval gates +- Trade logging + +--- + +### Before Running This Notebook + +#### Step 1: Remove Existing Credentials + +Search the notebook for all instances of: +- `TradingClient(` +- `StockDataStream(` + +Remove or replace all hardcoded API keys. + +#### Step 2: Set Up Proper Credential Management + +Create a `.env` file (add to `.gitignore`): + +```bash +ALPACA_API_KEY=your_api_key_here +ALPACA_SECRET_KEY=your_secret_key_here +``` + +Update the notebook to use environment variables: + +```python +import os +from dotenv import load_dotenv + +load_dotenv() + +trading_client = TradingClient( + os.getenv('ALPACA_API_KEY'), + os.getenv('ALPACA_SECRET_KEY'), + paper=True # Always start with paper trading +) +``` + +#### Step 3: Use Paper Trading First + +Always set `paper=True` until you have: +- Thoroughly tested the strategy +- Validated backtesting results +- Implemented proper risk management +- Understood all potential failure modes + +#### Step 4: Review Before Executing + +**Do not use "Run All"**. Review each cell individually, especially: +- Cells that install packages +- Cells that create trading clients +- Cells that submit orders + +--- + +### Known Risks + +| Risk | Severity | Description | +|------|----------|-------------| +| Financial Loss | CRITICAL | Real trading without safeguards can result in significant losses | +| Credential Theft | CRITICAL | Hardcoded keys can be stolen from git history | +| API Rate Limits | MEDIUM | Yahoo Finance limits: 2,000 requests/hour | +| Model Overfitting | MEDIUM | DRL models may not generalize to live markets | +| Execution Slippage | MEDIUM | Market orders may execute at unexpected prices | + +--- + +### Recommended Safeguards + +Before enabling live trading, implement: + +```python +# Example safeguards +MAX_POSITION_SIZE = 10 # Maximum shares per order +MAX_DAILY_LOSS = 100 # Stop trading after $100 loss +REQUIRE_CONFIRMATION = True # Manual approval for orders + +def safe_submit_order(client, order_data): + if order_data.qty > MAX_POSITION_SIZE: + raise ValueError(f"Order size {order_data.qty} exceeds limit {MAX_POSITION_SIZE}") + + if REQUIRE_CONFIRMATION: + confirm = input(f"Submit {order_data.side} order for {order_data.qty} {order_data.symbol}? (yes/no): ") + if confirm.lower() != 'yes': + print("Order cancelled") + return None + + return client.submit_order(order_data=order_data) +``` + +--- + +### System Requirements + +- **Python**: 3.7+ +- **RAM**: 8GB minimum (16GB recommended for model training) +- **Storage**: 2GB for dependencies and model checkpoints +- **GPU**: Optional, but speeds up DRL training significantly + +### Dependencies + +Install required packages: + +```bash +pip install python-dotenv alpaca-trade-api pandas numpy matplotlib +pip install git+https://github.com/AI4Finance-LLC/FinRL-Library.git +``` + +--- + +### Disclaimer + +**USE AT YOUR OWN RISK.** This code is for educational purposes only. The authors are not responsible for any financial losses incurred from using this software. Never invest money you cannot afford to lose. Always test with paper trading before using real funds. + +--- + ## Credits & More Resources Credits for the notebook go to the AI4FinanceFoundation, and for the API go to Alpaca.