pryscraper/.env.example
cryptorugmunch 80b067ea3b feat(secrets): gopass-based secret backend (PRY_SECRET_BACKEND)
The SECURITY.md contract said "use gopass" but the code only used
os.getenv. The deploy at /srv/pry/ had an .env file with secrets in
it, which violates the SECURITY.md threat model.

New module secrets_backend.py provides:
  get_secret(name, default) - resolves from gopass, env, or file
  set_secret(name, value)   - writes to gopass
  backend_info()            - diagnostic dict for /health or /status

Backends selected by PRY_SECRET_BACKEND env var:
  gopass (default) - reads from gopass at pry/<name>
  env              - reads from os.environ (PRY_<NAME> or PRY_<name>)
  file             - reads from PRY_ENV_FILE (default: PRY_DATA_DIR/.env)
  auto             - tries gopass, falls back to env

Refactored call sites:
  auth.py:        JWT_SECRET (was: os.getenv + ephemeral random default)
  x402.py:        X402_WALLET, X402_FACILITATOR_URL (was: os.getenv)

Seeded initial secrets on Talos (5 entries under pry/):
  jwt_secret, api_key, x402_wallet, x402_facilitator, ollama_url

Updated .env.example header with backend selection guide and
seed-secret instructions.

Tests: 9/9 in test_secrets_backend.py pass. 36 tests in
test_x402_mcp_spec.py + test_secrets_backend.py all pass.

Verified end-to-end:
  >>> import x402
  >>> x402.X402_WALLET
  '0xYourWalletAddressHere'
  >>> import auth
  >>> auth.JWT_SECRET
  'change-me-rotate-quarterly'

Follow-up: rotate jwt_secret and api_key to real random values.
Document the rotation cadence in SECURITY.md.
2026-07-02 20:26:00 +02:00

71 lines
2.4 KiB
Text

# SPDX-License-Identifier: MIT
# Copyright (c) 2026 Rug Munch Media LLC
# Part of Pry - https://git.rugmunch.io/RugMunchMedia/pryscraper
# Licensed under MIT. See LICENSE.
# ── Pry Configuration ──
# Copy this to .env and adjust values. All PRY_* vars are auto-loaded.
#
# ── SECRET BACKEND (see secrets_backend.py) ──
# Pry resolves secrets via secrets_backend.get_secret(name). Default backend is gopass.
# Override with PRY_SECRET_BACKEND:
# gopass (default) - reads from the gopass store under pry/<name>
# env - reads from os.environ (PRY_<NAME> or PRY_<name>)
# file - reads from PRY_ENV_FILE (default: $PRY_DATA_DIR/.env)
# auto - tries gopass, falls back to env (default)
#
# Seed initial secrets (one time):
# gopass insert -m pry/jwt_secret # opens editor, paste a strong random value
# gopass insert -m pry/api_key
# gopass insert -m pry/x402_wallet # your receiving EVM/Solana address
# gopass insert -m pry/x402_facilitator # https://x402.org/facilitator or your own
#
# Per the SECURITY.md contract, NO secrets live in .env in production.
# .env is for local dev and CI only.
# ── Core ──
PRY_HOST=0.0.0.0
PRY_PORT=8002
PRY_URL=http://localhost:8002
# Root directory for Pry's on-disk data (quality, monitors, sessions, etc.).
# Defaults to ~/.pry. Override for production (e.g., /var/lib/pry) or tests (e.g., /tmp/pry-test).
# PRY_DATA_DIR=~/.pry
# ── LLM / AI ──
# Ollama endpoint (used for summarization, categorization, extraction)
PRY_OLLAMA_URL=http://100.100.18.18:11434
# OpenRouter API key (optional — used for vision model queries)
# PRY_OPENROUTER_API_KEY=sk-or-v1-...
# ── Web Scraping ──
# FlareSolverr endpoint for Cloudflare bypass
PRY_FLARESOLVERR_URL=http://flaresolverr:8191/v1
# ── Webhook ──
# Secret used to sign job completion webhooks
# PRY_WEBHOOK_SECRET=pry-webhook-secret
# ── Authentication ──
# API key for endpoint authentication (empty = auth disabled)
# Set a strong random key to protect your Pry instance
# PRY_API_KEY=
# ── Proxy / Tor ──
# PRY_PROXY_URL=http://proxy:8080
# PRY_PROXY_TYPE=http
# PRY_PROXY_USERNAME=user
# PRY_PROXY_PASSWORD=pass
# PRY_TOR_ENABLED=false
# PRY_TOR_SOCKS5_HOST=tor
# PRY_TOR_SOCKS5_PORT=9050
# ── Rotation / Retry ──
# PRY_IP_ROTATION=
# PRY_MAX_RETRIES=3
# PRY_MIN_QUALITY=50
# PRY_RATE_LIMIT_RPM=120
# ── Redis ──
# PRY_REDIS_URL=redis://localhost:6379/0