pryscraper/SECURITY.md
cryptorugmunch 47ba268131 docs: apply fleet-template (16-artifact scaffold)
Adds missing standard artifacts:
- README.md (if missing)
- AGENTS.md (AI agent contract)
- PLAN.md (current sprint)
- STATUS.md (where we are)
- DEVELOPMENT.md (dev workflow)
- DEPLOYMENT.md (deploy procedure)
- TESTING.md (test strategy)
- DECISIONS.md (ADR index + templates)
- .github/CODEOWNERS
- .github/workflows/ci.yml

Preserves all existing artifacts.

Refs: RugMunchMedia/fleet-template
2026-07-02 02:07:13 +07:00

78 lines
2.3 KiB
Markdown

# SECURITY.md — PryScraper
> Threat model, secrets, auth, rate limiting, vuln disclosure.
## Threat Model
### Assets
- User wallets (private keys never touch our servers — verified by signature)
- API keys (gopass)
- DB credentials (gopass)
- Reputation (RMM LLC brand)
### Threats
1. **Secret leak to git** — gitleaks pre-commit hook + history scan on incidents
2. **SQL injection** — SQLAlchemy ORM + parameter binding only
3. **XSS** — React auto-escapes; CSP headers on nginx
4. **CSRF** — SameSite=Strict cookies + Bearer tokens
5. **DDoS** — Cloudflare proxy in front
6. **Supply chain** — renovate keeps deps updated; pip-audit weekly
## Secrets
**Storage**: gopass (`rmi/pryscraper/*`)
**Loading**:
- Local dev: `.env` file (gitignored)
- Production: docker `--env-file`, systemd `EnvironmentFile`
**Rotation**:
- API tokens: quarterly
- DB passwords: quarterly
- Signing keys: on personnel change
**Audit**: any secret leak triggers rotation within 1 hour.
## Authentication
- Bearer tokens for API
- OAuth2 (Telegram, etc) for user-facing bots
- x402 micropayments for paid endpoints (signing via Solana/EVM wallet)
## Authorization
- RBAC for admin endpoints
- Rate limiting per IP/token (sliding window)
- Admin endpoints require `cfg.admin_key` check
## Input Validation
- Pydantic models for ALL API inputs (no `dict`/`any` types)
- Length limits, regex validation, enum constraints
- Reject any input containing mainnet addresses/keys (pre-commit hook)
## Rate Limiting
- Default: 60 req/min per IP
- Burst: 100 req
- Authenticated: 600 req/min
- Returns 429 with `Retry-After` header
## Dependencies
- `pip-audit` weekly (CI)
- `safety check` weekly (CI)
- Renovate bot for auto-PR updates
## Vulnerability Disclosure
Email: security@rugmunch.io (PGP key in gopass)
Response within 24 hours.
Patch within 7 days for critical, 30 days for medium.
## Audit Log
Every state-changing action logged to:
- `app/state/audit/` (JSONL, append-only)
- ClickHouse (analytics, 90-day retention)
- WORM storage (R2 with object lock, 7-year retention)
## Incident Response
1. Detect (alert from monitoring)
2. Contain (revoke compromised secrets, block IPs)
3. Eradicate (patch vuln, deploy fix)
4. Recover (verify systems clean, restore from backup if needed)
5. Learn (post-mortem, update SECURITY.md)