Squashed from chore/license-relicense. Full message preserved in the original branch commitbb77eb5. See ADR-0002 for the decision rationale. Refs: ADR-0002, commitbb77eb5
2.4 KiB
2.4 KiB
//: # (Copyright (c) 2026 Rug Munch Media LLC)
SECURITY.md — PryScraper
Threat model, secrets, auth, rate limiting, vuln disclosure.
Threat Model
Assets
- User wallets (private keys never touch our servers — verified by signature)
- API keys (gopass)
- DB credentials (gopass)
- Reputation (RMM LLC brand)
Threats
- Secret leak to git — gitleaks pre-commit hook + history scan on incidents
- SQL injection — SQLAlchemy ORM + parameter binding only
- XSS — React auto-escapes; CSP headers on nginx
- CSRF — SameSite=Strict cookies + Bearer tokens
- DDoS — Cloudflare proxy in front
- Supply chain — renovate keeps deps updated; pip-audit weekly
Secrets
Storage: gopass (rmi/pryscraper/*)
Loading:
- Local dev:
.envfile (gitignored) - Production: docker
--env-file, systemdEnvironmentFile
Rotation:
- API tokens: quarterly
- DB passwords: quarterly
- Signing keys: on personnel change
Audit: any secret leak triggers rotation within 1 hour.
Authentication
- Bearer tokens for API
- OAuth2 (Telegram, etc) for user-facing bots
- x402 micropayments for paid endpoints (signing via Solana/EVM wallet)
Authorization
- RBAC for admin endpoints
- Rate limiting per IP/token (sliding window)
- Admin endpoints require
cfg.admin_keycheck
Input Validation
- Pydantic models for ALL API inputs (no
dict/anytypes) - Length limits, regex validation, enum constraints
- Reject any input containing mainnet addresses/keys (pre-commit hook)
Rate Limiting
- Default: 60 req/min per IP
- Burst: 100 req
- Authenticated: 600 req/min
- Returns 429 with
Retry-Afterheader
Dependencies
pip-auditweekly (CI)safety checkweekly (CI)- Renovate bot for auto-PR updates
Vulnerability Disclosure
Email: security@rugmunch.io (PGP key in gopass) Response within 24 hours. Patch within 7 days for critical, 30 days for medium.
Audit Log
Every state-changing action logged to:
app/state/audit/(JSONL, append-only)- ClickHouse (analytics, 90-day retention)
- WORM storage (R2 with object lock, 7-year retention)
Incident Response
- Detect (alert from monitoring)
- Contain (revoke compromised secrets, block IPs)
- Eradicate (patch vuln, deploy fix)
- Recover (verify systems clean, restore from backup if needed)
- Learn (post-mortem, update SECURITY.md)