Adds missing standard artifacts: - README.md (if missing) - AGENTS.md (AI agent contract) - PLAN.md (current sprint) - STATUS.md (where we are) - DEVELOPMENT.md (dev workflow) - DEPLOYMENT.md (deploy procedure) - TESTING.md (test strategy) - DECISIONS.md (ADR index + templates) - .github/CODEOWNERS - .github/workflows/ci.yml Preserves all existing artifacts. Refs: RugMunchMedia/fleet-template
2.3 KiB
2.3 KiB
SECURITY.md — PryScraper
Threat model, secrets, auth, rate limiting, vuln disclosure.
Threat Model
Assets
- User wallets (private keys never touch our servers — verified by signature)
- API keys (gopass)
- DB credentials (gopass)
- Reputation (RMM LLC brand)
Threats
- Secret leak to git — gitleaks pre-commit hook + history scan on incidents
- SQL injection — SQLAlchemy ORM + parameter binding only
- XSS — React auto-escapes; CSP headers on nginx
- CSRF — SameSite=Strict cookies + Bearer tokens
- DDoS — Cloudflare proxy in front
- Supply chain — renovate keeps deps updated; pip-audit weekly
Secrets
Storage: gopass (rmi/pryscraper/*)
Loading:
- Local dev:
.envfile (gitignored) - Production: docker
--env-file, systemdEnvironmentFile
Rotation:
- API tokens: quarterly
- DB passwords: quarterly
- Signing keys: on personnel change
Audit: any secret leak triggers rotation within 1 hour.
Authentication
- Bearer tokens for API
- OAuth2 (Telegram, etc) for user-facing bots
- x402 micropayments for paid endpoints (signing via Solana/EVM wallet)
Authorization
- RBAC for admin endpoints
- Rate limiting per IP/token (sliding window)
- Admin endpoints require
cfg.admin_keycheck
Input Validation
- Pydantic models for ALL API inputs (no
dict/anytypes) - Length limits, regex validation, enum constraints
- Reject any input containing mainnet addresses/keys (pre-commit hook)
Rate Limiting
- Default: 60 req/min per IP
- Burst: 100 req
- Authenticated: 600 req/min
- Returns 429 with
Retry-Afterheader
Dependencies
pip-auditweekly (CI)safety checkweekly (CI)- Renovate bot for auto-PR updates
Vulnerability Disclosure
Email: security@rugmunch.io (PGP key in gopass) Response within 24 hours. Patch within 7 days for critical, 30 days for medium.
Audit Log
Every state-changing action logged to:
app/state/audit/(JSONL, append-only)- ClickHouse (analytics, 90-day retention)
- WORM storage (R2 with object lock, 7-year retention)
Incident Response
- Detect (alert from monitoring)
- Contain (revoke compromised secrets, block IPs)
- Eradicate (patch vuln, deploy fix)
- Recover (verify systems clean, restore from backup if needed)
- Learn (post-mortem, update SECURITY.md)