Your strategy can fail silently — a hung loop, a crashed process, a position no SL was ever placed against. A watchdog is a second, independent program whose only job is to notice that and shout.
Imagine a warehouse with sensors, cameras, alarms — all wired to a central panel. The panel works. Until it doesn't. The cable gets cut, the power dies, the screen says everything is fine because nothing is sending updates.
So you also hire a night watchman. They don't trust the panel. Every fifteen minutes they walk the perimeter, count the doors, check the locks. If something is wrong they shout — through a different phone, on a different line.
That's exactly what these two processes do. They don't ask the trading bot "are you OK?" They go directly to the broker and the exchange and check what's actually there.
Watches overnight positional short positions on the equity index account. If a short is open, a hedge must be in place by 15:16 IST and removed at 09:16 IST the next morning.
File: hedge_runner.py
Bot: RedRisk
Watches MCX commodity short positions. Every short must have a live SL order (regular or GTT). Naked shorts, bad-state SLs, and orphan SLs all alert.
File: scripts/mcx_sl_watchdog.py
Bot: RedRisk
A short option held overnight has unlimited downside if the market gaps against you. The fix is well-known: buy a far-OTM option in the same series. That's the hedge. It caps the worst-case loss.
This watchdog isn't protecting the intraday strategies (they all close by squareoff). It protects external shorts — positions opened manually by the operator or by a separate positional strategy that has no concept of "place the hedge".
If a short exists overnight, a matching long (the hedge) must exist alongside it — same expiry, same quantity, far enough OTM to be cheap. Hedge quantity must always equal short quantity.
Each entry is a one-shot. The runner is not a long-lived process — cron starts it, it does one job, it exits. There's nothing to crash overnight, nothing to leak memory, nothing to forget.
# 15:16 IST — cron fires this entry on weekdays
1. Fetch live positions from the broker.
2. Keep only equity-index shorts that this account will hold overnight.
3. For each short:
compute the hedge strike (far OTM, same expiry).
compute the required hedge quantity = abs(short qty).
4. For each hedge that is missing or under-sized:
place a BUY order to top it up.
5. Persist what got placed to logs/hedge_state.json.
6. Alert RedRisk: "Hedges placed, all shorts covered."
# 15:20 / 15:25 / 15:29 IST — same logic, in --mode monitor
# If any hedge is still missing, re-place it. No state from earlier runs is trusted.
The state file is a record, not a source of truth. Every run re-reads positions from the broker. If you manually flatten a short between 15:16 and 15:20, the next monitor pass simply notices the hedge is now too large and stops there — it doesn't act on stale state.
MCX commodity options run from 09:00 to 23:30 IST. That's fourteen and a half hours of exposure per day. A short crude option with no stop-loss order on the exchange is a position with no defined worst case.
Because placement can quietly fail: the SL order gets rejected, cancelled by the broker, or never accepted by the exchange. The main bot will alert on most of these, but not all — and a crashed bot alerts on none of them.
The operator may have placed a GTT stop-loss through the Upstox app. The bot doesn't see those. The watchdog checks both the regular order book (v2) and the GTT book (v3) — a manual GTT counts as protection.
A short MCX position with no matching SL order in either the regular or GTT book. The most dangerous failure — pure undefined risk.
An SL exists but its status is rejected, cancelled, failed or expired. From the exchange's point of view, there is no protection.
The position is opened as MIS (intraday, auto-square-off) but the SL is NRML, or vice versa. Different product types don't protect each other — the SL won't trigger against the position you think it's guarding.
MCX entries are required to be MIS so the broker auto-squares anything we forget. A delivery-product MCX short bypasses that safety net — flagged.
A live SL exists but the underlying short is gone. If price moves to the trigger, the SL fires as an unintended long — you wake up with an inverted position.
trigger_pending, open, pendingSCHEDULEDrejected, cancelledFAILED, CANCELLED, EXPIREDSkipping the GTT book would mean false alarms every time the operator manually protected a position. Including it means a manual safety net counts.
The all-clear is deliberately quiet but present. If RedRisk goes silent for an hour during MCX hours, that itself is a signal — the watchdog has stopped running.
Neither runs inside the trading bot. If the bot is dead, hung, or in a bad deploy state, the watchdog still wakes up.
Each invocation is a fresh process. Nothing to keep alive, nothing to restart, nothing to leak.
Both query the broker for positions and orders on every run. No JSON cache is trusted as source of truth.
The main trading-info bot can get noisy and muted. RedRisk is a quiet channel reserved for "something is structurally wrong." Two channels = two attention budgets.
Running twice produces the same alert (or none). No double-counting, no double-placement. Safe to re-run by hand at any time.
If a critical step can fail without anyone noticing for an hour, you need an outside check. Examples: token refresh, websocket reconnect, file-handle leak.
If the worst case is "lose the day" or "lose the account", you can't rely on the main process to self-report. Examples: missing SL, missing hedge, wrong-side position.
A watchdog only works if the invariant is observable from the broker, the filesystem, or some external state. "Did the strategy think correctly?" is not checkable. "Is the SL order alive?" is.
External · cron-driven · broker-truth · separate channel · idempotent.
← Back to course index