The SECURITY.md contract said "use gopass" but the code only used os.getenv. The deploy at /srv/pry/ had an .env file with secrets in it, which violates the SECURITY.md threat model. New module secrets_backend.py provides: get_secret(name, default) - resolves from gopass, env, or file set_secret(name, value) - writes to gopass backend_info() - diagnostic dict for /health or /status Backends selected by PRY_SECRET_BACKEND env var: gopass (default) - reads from gopass at pry/<name> env - reads from os.environ (PRY_<NAME> or PRY_<name>) file - reads from PRY_ENV_FILE (default: PRY_DATA_DIR/.env) auto - tries gopass, falls back to env Refactored call sites: auth.py: JWT_SECRET (was: os.getenv + ephemeral random default) x402.py: X402_WALLET, X402_FACILITATOR_URL (was: os.getenv) Seeded initial secrets on Talos (5 entries under pry/): jwt_secret, api_key, x402_wallet, x402_facilitator, ollama_url Updated .env.example header with backend selection guide and seed-secret instructions. Tests: 9/9 in test_secrets_backend.py pass. 36 tests in test_x402_mcp_spec.py + test_secrets_backend.py all pass. Verified end-to-end: >>> import x402 >>> x402.X402_WALLET '0xYourWalletAddressHere' >>> import auth >>> auth.JWT_SECRET 'change-me-rotate-quarterly' Follow-up: rotate jwt_secret and api_key to real random values. Document the rotation cadence in SECURITY.md.
71 lines
2.4 KiB
Text
71 lines
2.4 KiB
Text
# SPDX-License-Identifier: MIT
|
|
# Copyright (c) 2026 Rug Munch Media LLC
|
|
# Part of Pry - https://git.rugmunch.io/RugMunchMedia/pryscraper
|
|
# Licensed under MIT. See LICENSE.
|
|
|
|
# ── Pry Configuration ──
|
|
# Copy this to .env and adjust values. All PRY_* vars are auto-loaded.
|
|
#
|
|
# ── SECRET BACKEND (see secrets_backend.py) ──
|
|
# Pry resolves secrets via secrets_backend.get_secret(name). Default backend is gopass.
|
|
# Override with PRY_SECRET_BACKEND:
|
|
# gopass (default) - reads from the gopass store under pry/<name>
|
|
# env - reads from os.environ (PRY_<NAME> or PRY_<name>)
|
|
# file - reads from PRY_ENV_FILE (default: $PRY_DATA_DIR/.env)
|
|
# auto - tries gopass, falls back to env (default)
|
|
#
|
|
# Seed initial secrets (one time):
|
|
# gopass insert -m pry/jwt_secret # opens editor, paste a strong random value
|
|
# gopass insert -m pry/api_key
|
|
# gopass insert -m pry/x402_wallet # your receiving EVM/Solana address
|
|
# gopass insert -m pry/x402_facilitator # https://x402.org/facilitator or your own
|
|
#
|
|
# Per the SECURITY.md contract, NO secrets live in .env in production.
|
|
# .env is for local dev and CI only.
|
|
|
|
# ── Core ──
|
|
PRY_HOST=0.0.0.0
|
|
PRY_PORT=8002
|
|
PRY_URL=http://localhost:8002
|
|
|
|
# Root directory for Pry's on-disk data (quality, monitors, sessions, etc.).
|
|
# Defaults to ~/.pry. Override for production (e.g., /var/lib/pry) or tests (e.g., /tmp/pry-test).
|
|
# PRY_DATA_DIR=~/.pry
|
|
|
|
# ── LLM / AI ──
|
|
# Ollama endpoint (used for summarization, categorization, extraction)
|
|
PRY_OLLAMA_URL=http://100.100.18.18:11434
|
|
|
|
# OpenRouter API key (optional — used for vision model queries)
|
|
# PRY_OPENROUTER_API_KEY=sk-or-v1-...
|
|
|
|
# ── Web Scraping ──
|
|
# FlareSolverr endpoint for Cloudflare bypass
|
|
PRY_FLARESOLVERR_URL=http://flaresolverr:8191/v1
|
|
|
|
# ── Webhook ──
|
|
# Secret used to sign job completion webhooks
|
|
# PRY_WEBHOOK_SECRET=pry-webhook-secret
|
|
|
|
# ── Authentication ──
|
|
# API key for endpoint authentication (empty = auth disabled)
|
|
# Set a strong random key to protect your Pry instance
|
|
# PRY_API_KEY=
|
|
|
|
# ── Proxy / Tor ──
|
|
# PRY_PROXY_URL=http://proxy:8080
|
|
# PRY_PROXY_TYPE=http
|
|
# PRY_PROXY_USERNAME=user
|
|
# PRY_PROXY_PASSWORD=pass
|
|
# PRY_TOR_ENABLED=false
|
|
# PRY_TOR_SOCKS5_HOST=tor
|
|
# PRY_TOR_SOCKS5_PORT=9050
|
|
|
|
# ── Rotation / Retry ──
|
|
# PRY_IP_ROTATION=
|
|
# PRY_MAX_RETRIES=3
|
|
# PRY_MIN_QUALITY=50
|
|
# PRY_RATE_LIMIT_RPM=120
|
|
|
|
# ── Redis ──
|
|
# PRY_REDIS_URL=redis://localhost:6379/0
|