The threat model
What can go wrong, in order of likelihood:API key leak (medium-likelihood, contained worst-case)
API key leak (medium-likelihood, contained worst-case)
VPS compromise (lower likelihood, contained worst-case)
VPS compromise (lower likelihood, contained worst-case)
Account credential leak (low likelihood, requires venue 2FA bypass)
Account credential leak (low likelihood, requires venue 2FA bypass)
Telegram session compromise
Telegram session compromise
Dashboard compromise
Dashboard compromise
SignalsBot compromise (webhook flood)
SignalsBot compromise (webhook flood)
100 req/15min), 64 KB body cap.The defense layers
Layer 1: API key permissions
Layer 2: IP allowlisting
Layer 3: Venue 2FA
Layer 4: Secret hygiene
Layer 5: Periodic rotation
Layer 6: Dashboard authentication
Layer 7: Notification-only Telegram
Layer 8: SignalsBot HMAC + rate limit
Architectural commitments
Why each architectural choice
Single-exchange-per-container (TradingBot)
Single-exchange-per-container (TradingBot)
Single internet-exposed surface (Dashboard) + optional SignalsBot
Single internet-exposed surface (Dashboard) + optional SignalsBot
Notification-only TelegramBot
Notification-only TelegramBot
Operator-driven updates
Operator-driven updates
HMAC-signed webhooks
HMAC-signed webhooks
Per-mode stop-losses
Per-mode stop-losses
Conservative error handling for unknown codes
Conservative error handling for unknown codes