pryscraper/SECURITY.md
cryptorugmunch 8d25702eca chore(license): re-license to dual MIT (core) + BSL 1.1 (stealth)
Squashed from chore/license-relicense. Full message preserved in the
original branch commit bb77eb5. See ADR-0002 for the decision rationale.

Refs: ADR-0002, commit bb77eb5
2026-07-02 19:59:18 +02:00

2.4 KiB

//: # (Copyright (c) 2026 Rug Munch Media LLC)

SECURITY.md — PryScraper

Threat model, secrets, auth, rate limiting, vuln disclosure.

Threat Model

Assets

  • User wallets (private keys never touch our servers — verified by signature)
  • API keys (gopass)
  • DB credentials (gopass)
  • Reputation (RMM LLC brand)

Threats

  1. Secret leak to git — gitleaks pre-commit hook + history scan on incidents
  2. SQL injection — SQLAlchemy ORM + parameter binding only
  3. XSS — React auto-escapes; CSP headers on nginx
  4. CSRF — SameSite=Strict cookies + Bearer tokens
  5. DDoS — Cloudflare proxy in front
  6. Supply chain — renovate keeps deps updated; pip-audit weekly

Secrets

Storage: gopass (rmi/pryscraper/*)

Loading:

  • Local dev: .env file (gitignored)
  • Production: docker --env-file, systemd EnvironmentFile

Rotation:

  • API tokens: quarterly
  • DB passwords: quarterly
  • Signing keys: on personnel change

Audit: any secret leak triggers rotation within 1 hour.

Authentication

  • Bearer tokens for API
  • OAuth2 (Telegram, etc) for user-facing bots
  • x402 micropayments for paid endpoints (signing via Solana/EVM wallet)

Authorization

  • RBAC for admin endpoints
  • Rate limiting per IP/token (sliding window)
  • Admin endpoints require cfg.admin_key check

Input Validation

  • Pydantic models for ALL API inputs (no dict/any types)
  • Length limits, regex validation, enum constraints
  • Reject any input containing mainnet addresses/keys (pre-commit hook)

Rate Limiting

  • Default: 60 req/min per IP
  • Burst: 100 req
  • Authenticated: 600 req/min
  • Returns 429 with Retry-After header

Dependencies

  • pip-audit weekly (CI)
  • safety check weekly (CI)
  • Renovate bot for auto-PR updates

Vulnerability Disclosure

Email: security@rugmunch.io (PGP key in gopass) Response within 24 hours. Patch within 7 days for critical, 30 days for medium.

Audit Log

Every state-changing action logged to:

  • app/state/audit/ (JSONL, append-only)
  • ClickHouse (analytics, 90-day retention)
  • WORM storage (R2 with object lock, 7-year retention)

Incident Response

  1. Detect (alert from monitoring)
  2. Contain (revoke compromised secrets, block IPs)
  3. Eradicate (patch vuln, deploy fix)
  4. Recover (verify systems clean, restore from backup if needed)
  5. Learn (post-mortem, update SECURITY.md)