Skip to content

release: 2.5.0 — post-v2.4 multi-reviewer SDK audit closure (#273)#294

Merged
TexasCoding merged 1 commit into
mainfrom
release/2.5.0
May 21, 2026
Merged

release: 2.5.0 — post-v2.4 multi-reviewer SDK audit closure (#273)#294
TexasCoding merged 1 commit into
mainfrom
release/2.5.0

Conversation

@TexasCoding

Copy link
Copy Markdown
Owner

Cuts v2.5.0.

What ships

34 audit issues closed across 4 sequential waves:

20 PRs total; main is mypy strict clean, ruff clean, 2742 unit tests passing (3 skipped — tests/test_http2.py skipif when h2 extra not installed).

Breaking changes (justify v2.5.0 minor bump)

  1. orders.create() silently defaults count=1 and action="buy" on the kwarg path #242orders.create() requires count and action explicitly on the kwarg path (no silent 1-contract buy).
  2. Models: WS payloads use raw str for _fp / _dollars fields (OrderGroup, Ticker) #258 + Models: Strike + fee-multiplier fields use bare Decimal/float, bypass #225 coercion #259 — six REST model fields + three WS payload fields widened from str/float to Decimal. Wire format unchanged.

Migration guide: docs/migration.md v2.4 → v2.5 section (this PR).

Release procedure (post-merge)

Per docs/RELEASING.md:

  1. Merge this PR.
  2. git tag v2.5.0 && git push origin v2.5.0.github/workflows/release.yml will build + publish to PyPI via trusted publishing + create the GitHub Release.

Verification

  • pyproject.toml + kalshi/__init__.py __version__ both bumped to 2.5.0 (release workflow asserts they match the tag).
  • CHANGELOG section is in the format the release workflow extracts (## 2.5.0 — 2026-05-21 heading; awk extracts up to the next ## ).
  • ROADMAP Shipped section updated.

Closes #273.

34 issues across security, HTTP transport, WebSocket reliability, models/types,
REST resources, performance, and docs/testing. Two breaking changes folded in:
orders.create() requires count+action explicitly (#242); six REST + three WS
model fields widened str/float -> Decimal (#258, #259). Migration in
docs/migration.md v2.4 -> v2.5 section.

Closes #273.
@claude

claude Bot commented May 21, 2026

Copy link
Copy Markdown

Code Review — PR #294: release v2.5.0

This is a release/documentation PR (version bumps + CHANGELOG + ROADMAP + migration guide). The actual code changes landed across 20 prior PRs; I'll review what's in this diff and flag anything worth discussing before merge.


Overview

The diff is small and focused:

  • kalshi/__init__.py + pyproject.toml2.4.02.5.0
  • CHANGELOG.md — new ## 2.5.0 — 2026-05-21 section
  • ROADMAP.md — shipped entry for v2.5.0
  • docs/migration.md — new v2.4 → v2.5 section

No application code changes are in this PR, which is the correct pattern for a release cut.


What looks good

  • Version consistency. Both pyproject.toml and kalshi/__init__.py are bumped to 2.5.0. The release workflow asserts they match the tag — no drift here.
  • CHANGELOG format. The ## 2.5.0 — 2026-05-21 heading matches the awk extraction pattern documented in the release procedure. No format surprises for the workflow.
  • Migration guide quality. The v2.4 → v2.5 section is the strongest migration doc in the file. Every breaking change has a before/after code snippet, every additive feature has a usage example, and the "Observable but not breaking" section gives consumers a heads-up on type shape changes without overstating the impact.
  • Breaking changes are front-and-center. Both the PR description and the CHANGELOG lead with the two breakages (orders.create() silently defaults count=1 and action="buy" on the kwarg path #242, Models: WS payloads use raw str for _fp / _dollars fields (OrderGroup, Ticker) #258/Models: Strike + fee-multiplier fields use bare Decimal/float, bypass #225 coercion #259), which is good hygiene for a minor version bump.
  • Security improvements documented clearly. #239 (split-env guard), #250 (unknown-host default-fail), and #249 (conflicting key inputs) are all called out with rationale. The migration guide explains the opt-out path for allow_unknown_host.

Issues / things to verify before merge

1. OrderbookSnapshotPayload.yes/no type change is arguably breaking

The "Observable but not breaking" section in docs/migration.md lists:

OrderbookSnapshotPayload.yes and .no are now dict[Decimal, Decimal] rather than list[tuple[Decimal, Decimal]]

For any consumer reading those fields directly (not just through subscribe_book), this is a type-breaking change — dict and list[tuple] have different iteration contracts. It's worth either moving this to the "Breaking changes" section or adding a one-line note acknowledging that direct consumers of those fields are affected. The current framing may give users false confidence that no code review is needed on their side.

2. v2.4.0 and v2.5.0 share the same release date (2026-05-21)

Both CHANGELOG entries are dated 2026-05-21. This is technically fine, but it may confuse users scanning the changelog for "what changed since my version." If time permits, it could be worth noting in the CHANGELOG that v2.5 was released on the same day as v2.4 (e.g., a parenthetical like "released same-day as v2.4"). Low priority — the issue-reference trail makes the relationship clear.

3. KalshiNetworkError — verify it's exported from kalshi/__init__.py

The CHANGELOG introduces KalshiNetworkError as a new typed exception. This diff doesn't include kalshi/__init__.py changes to the __all__ list (only __version__ changed). If KalshiNetworkError was added in a prior PR (#240), verify it's already exported from the public surface — consumers catching it by name will get ImportError otherwise.

4. ConnectError retry on POST — documentation clarity

The CHANGELOG says:

ConnectError on POST/DELETE is also safe (request never reached the wire)

This is correct for TCP-level connect failures. However, some proxies or TLS termination points can establish the TCP connection but fail before the request bytes are sent — ConnectError can fire at the TLS handshake stage where the server may have partially seen the request. The migration guide doesn't mention this nuance. Given that this is a financial API, worth adding a one-liner like "callers should still reconcile POST outcomes via client_order_id when KalshiNetworkError is caught" to set expectations correctly.


Minor suggestions

  • The ROADMAP entry for v2.5.0 is well-written but references parenthetical issue numbers densely. Consider splitting the performance and DX bullets into two sentences for readability — purely cosmetic.
  • The migration guide's "Observable but not breaking" section correctly calls out Retry-After: -5 clamping. It would be helpful to note whether this changes behavior for users who were relying on the old fallback-to-backoff behavior (i.e., they now retry faster than before). Minor, but relevant for anyone with tight rate-limit tolerance.

Summary

The release artifacts look correct and the documentation is thorough. Three things worth a quick confirmation before merging:

  1. Verify KalshiNetworkError is already in kalshi/__init__.py's __all__ (from a prior PR).
  2. Consider whether OrderbookSnapshotPayload.yes/no dict-vs-list change belongs in the breaking changes section.
  3. Add a reconciliation note on ConnectError-on-POST retry for financial safety clarity.

Everything else looks merge-ready.

@TexasCoding
TexasCoding merged commit cc7947f into main May 21, 2026
5 checks passed
@TexasCoding
TexasCoding deleted the release/2.5.0 branch May 21, 2026 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Audit] 2026-05-21 post-v2.4 multi-reviewer SDK sweep — 34-issue umbrella

1 participant