TradingAgents/SETUP_SECURE.md

Secure Setup Guide for TradingAgents

This guide will help you set up TradingAgents with security best practices in mind.

Prerequisites

• Python 3.10 or higher
• Git
• API keys for OpenAI and Alpha Vantage

Step 1: Clone the Repository

git clone https://github.com/TauricResearch/TradingAgents.git
cd TradingAgents

Step 2: Create Virtual Environment

Always use a virtual environment to isolate dependencies:

# Create virtual environment
python3 -m venv venv

# Activate it
# On macOS/Linux:
source venv/bin/activate
# On Windows:
# venv\Scripts\activate

Step 3: Install Dependencies Securely

# Upgrade pip first
pip install --upgrade pip

# Install dependencies from requirements.txt
pip install -r requirements.txt

# Optional: Install development dependencies
pip install pytest bandit black flake8 mypy safety

Verify Dependency Security

# Check for known vulnerabilities
pip install safety
safety check

# Or use pip-audit
pip install pip-audit
pip-audit

Step 4: Configure Environment Variables

CRITICAL: Never hardcode API keys in your code!

Create .env File

# Copy the example file
cp .env.example .env

# Edit .env with your actual values
# Use your preferred editor (nano, vim, code, etc.)
nano .env

Fill in Your API Keys

Edit .env to include your actual API keys:

# Required API Keys
OPENAI_API_KEY=sk-your-actual-openai-key-here
ALPHA_VANTAGE_API_KEY=your-actual-alpha-vantage-key-here

# Optional: Custom directories
TRADINGAGENTS_DATA_DIR=/secure/path/to/data
TRADINGAGENTS_RESULTS_DIR=/secure/path/to/results

# Optional: Logging
LOG_LEVEL=INFO

Verify .env is Gitignored

# Verify .env is in .gitignore
cat .gitignore | grep ".env"

# Should output: .env

Step 5: Secure Your API Keys

Get API Keys

1. OpenAI API Key:

   • Go to https://platform.openai.com/api-keys
   • Create a new secret key
   • Copy it immediately (you won't see it again)

2. Alpha Vantage API Key:

   • Go to https://www.alphavantage.co/support/#api-key
   • Fill in the form to get a free API key
   • Copy the key from the email

Protect Your Keys

# Set proper permissions on .env file (Unix-like systems)
chmod 600 .env

# Verify permissions
ls -l .env
# Should show: -rw-------

API Key Best Practices

1. Use separate keys for development and production
2. Rotate keys regularly (every 90 days recommended)
3. Set spending limits in your API provider dashboard
4. Monitor usage regularly for unusual activity
5. Never share keys via email, Slack, or other insecure channels
6. Revoke immediately if you suspect compromise

Step 6: Create Secure Data Directories

# Create directories with proper permissions
mkdir -p data results

# Set restrictive permissions (Unix-like systems)
chmod 700 data results

# Verify
ls -ld data results
# Should show: drwx------

Step 7: Verify Installation

# Test import
python -c "from tradingagents.graph.trading_graph import TradingAgentsGraph; print('Success!')"

# Run security validators test
python -c "from tradingagents.security import validate_ticker; print(validate_ticker('AAPL'))"

Step 8: Run Security Checks

Static Security Analysis

# Run Bandit security linter
bandit -r tradingagents/ -ll

# Check for common security issues
python -m bandit -r tradingagents/ -f json -o security-report.json

Check for Secrets in Git History

# Install trufflehog or gitleaks
# Using gitleaks:
docker run -v $(pwd):/path zricethezav/gitleaks:latest detect --source="/path" -v

# Or manually search
git log -p | grep -i "api[_-]key\|secret\|password" | head -20

Step 9: Configure Logging

Create a logging configuration file:

# Create logs directory
mkdir -p logs
chmod 700 logs

# Create logging config
cat > logging_config.json <<EOF
{
  "version": 1,
  "disable_existing_loggers": false,
  "formatters": {
    "standard": {
      "format": "%(asctime)s - %(name)s - %(levelname)s - %(message)s"
    }
  },
  "handlers": {
    "file": {
      "class": "logging.handlers.RotatingFileHandler",
      "filename": "logs/tradingagents.log",
      "maxBytes": 10485760,
      "backupCount": 5,
      "formatter": "standard"
    }
  },
  "root": {
    "level": "INFO",
    "handlers": ["file"]
  }
}
EOF

Step 10: Test the Setup

Create a test script to verify everything works:

# test_setup.py
from tradingagents.graph.trading_graph import TradingAgentsGraph
from tradingagents.default_config import DEFAULT_CONFIG
from tradingagents.security import validate_ticker, validate_date
from dotenv import load_dotenv
import os

# Load environment
load_dotenv()

# Verify API keys are set
assert os.getenv("OPENAI_API_KEY"), "OPENAI_API_KEY not set"
assert os.getenv("ALPHA_VANTAGE_API_KEY"), "ALPHA_VANTAGE_API_KEY not set"
print("✓ API keys are set")

# Verify security validators
try:
    validate_ticker("AAPL")
    print("✓ Ticker validation works")
except Exception as e:
    print(f"✗ Ticker validation failed: {e}")

try:
    validate_date("2024-01-15")
    print("✓ Date validation works")
except Exception as e:
    print(f"✗ Date validation failed: {e}")

# Verify config
config = DEFAULT_CONFIG.copy()
assert config["data_dir"] != "/Users/yluo/Documents/Code/ScAI/FR1-data", \
    "Hardcoded path still present!"
print("✓ Configuration is secure")

# Test basic initialization
try:
    config["quick_think_llm"] = "gpt-4o-mini"
    config["deep_think_llm"] = "gpt-4o-mini"
    ta = TradingAgentsGraph(config=config, debug=False)
    print("✓ TradingAgents initialized successfully")
except Exception as e:
    print(f"✗ Initialization failed: {e}")

print("\n✓ All security checks passed!")

Run the test:

python test_setup.py

Step 11: Set Up Git Hooks (Optional)

Prevent accidental commits of secrets:

# Install pre-commit hooks
pip install pre-commit

# Create .pre-commit-config.yaml
cat > .pre-commit-config.yaml <<EOF
repos:
  - repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
      - id: detect-private-key
      - id: check-added-large-files
      - id: check-yaml
      - id: end-of-file-fixer
      - id: trailing-whitespace

  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets
        args: ['--baseline', '.secrets.baseline']

  - repo: https://github.com/PyCQA/bandit
    rev: 1.7.5
    hooks:
      - id: bandit
        args: ['-ll', '-i']
EOF

# Install hooks
pre-commit install

# Run manually
pre-commit run --all-files

Step 12: Production Deployment Checklist

Before deploying to production:

• All API keys are stored securely (not in code)
• .env file is never committed to git
• Debug mode is disabled (debug=False)
• Logging is configured properly
• File permissions are restrictive (600 for files, 700 for directories)
• Dependencies are pinned to specific versions
• Security scanning is enabled in CI/CD
• Rate limiting is configured
• Monitoring and alerting are set up
• Backup strategy is in place
• Incident response plan exists

Troubleshooting

Issue: API Key Not Found

Error: ValueError: OPENAI_API_KEY environment variable is not set

Solution:

# Verify .env file exists
ls -la .env

# Verify .env is loaded
python -c "from dotenv import load_dotenv; import os; load_dotenv(); print(os.getenv('OPENAI_API_KEY'))"

# Check if running from correct directory
pwd

Issue: Permission Denied

Error: PermissionError: [Errno 13] Permission denied

Solution:

# Fix directory permissions
chmod 700 data results logs

# Fix file permissions
chmod 600 .env

Issue: Import Errors

Error: ModuleNotFoundError: No module named 'tradingagents'

Solution:

# Verify virtual environment is activated
which python

# Reinstall in development mode
pip install -e .

Security Monitoring

Set Up Alerts

Monitor for:

1. Unusual API usage patterns
2. Failed authentication attempts
3. Large data transfers
4. Unexpected errors

Regular Security Tasks

• Weekly: Review logs for anomalies
• Monthly: Rotate API keys
• Quarterly: Update dependencies and scan for vulnerabilities
• Annually: Full security audit

Additional Resources

• SECURITY.md - Security policy and vulnerability reporting
• SECURITY_AUDIT.md - Detailed security audit results
• IMPROVEMENTS.md - Suggested improvements and enhancements
• OWASP Top 10
• Python Security Best Practices

Getting Help

If you encounter security issues:

1. DO NOT open a public GitHub issue
2. Email: yijia.xiao@cs.ucla.edu
3. Include detailed steps to reproduce
4. Wait for acknowledgment (within 48 hours)

Conclusion

You now have a secure installation of TradingAgents! Remember:

• Keep your API keys secret
• Regularly update dependencies
• Monitor for unusual activity
• Follow security best practices

Happy and secure trading!