pryscraper/SECURITY.md
cryptorugmunch bb77eb5f35 chore(license): re-license to dual MIT (core) + BSL 1.1 (stealth)
Re-license Pry from full Proprietary to a dual-license model:

- Core engine, extraction, templates (80+), MCP server, x402 payment rail,
  CLI, SDK, browser extension, WordPress plugin, Shopify app, and
  llm_providers: MIT (see LICENSE)
- Anti-detection / stealth subset (15 files): BSL 1.1 with Change Date
  2029-01-01 (see LICENSE-BSL-STEALTH)

BSL files (anti-detection moat):
  ultimate_scraper.py, stealth_engine.py, stealth_scripts/*.js (6),
  camoufox_integration.py, tls_fingerprint.py, cookie_warmer.py,
  behavioral_biometrics.py, adaptive.py, browser_pool.py, network.py,
  captcha_solver.py, shadow_dom.py, lazy_load.py, signup_automator.py,
  auth_connector.py

This enables community contributions to the core engine (templates,
integrations, MCP tools) while protecting the anti-detection techniques
that constitute the actual competitive moat. BSL Additional Use Grant
permits free non-production use; production deployment requires a
commercial license from enterprise@rugmunch.io.

Changes:
- Replace proprietary LICENSE with MIT LICENSE + new LICENSE-BSL-STEALTH
- Add SPDX-License-Identifier headers to 300+ source files
- Add docs/adr/0002-dual-licensing.md (ADR documenting the decision)
- Update README.md: new License section with BSL Additional Use Grant
- Update LICENSING_PRICING_STRATEGY.md: Section 3 (PryScraper) for dual license
- Update AGENTS.md: license line in header + new rule 8 (PRs touching BSL rejected)
- Update pyproject.toml: license = "MIT AND BSL-1.1" + classifiers + license-files
- Update DECISIONS.md index with ADR-0002
- Update STATUS.md (2026-07-03) and PLAN.md sprint goals

Refs: ADR-0002
2026-07-02 19:49:21 +02:00

2.4 KiB

//: # (Copyright (c) 2026 Rug Munch Media LLC)

SECURITY.md — PryScraper

Threat model, secrets, auth, rate limiting, vuln disclosure.

Threat Model

Assets

  • User wallets (private keys never touch our servers — verified by signature)
  • API keys (gopass)
  • DB credentials (gopass)
  • Reputation (RMM LLC brand)

Threats

  1. Secret leak to git — gitleaks pre-commit hook + history scan on incidents
  2. SQL injection — SQLAlchemy ORM + parameter binding only
  3. XSS — React auto-escapes; CSP headers on nginx
  4. CSRF — SameSite=Strict cookies + Bearer tokens
  5. DDoS — Cloudflare proxy in front
  6. Supply chain — renovate keeps deps updated; pip-audit weekly

Secrets

Storage: gopass (rmi/pryscraper/*)

Loading:

  • Local dev: .env file (gitignored)
  • Production: docker --env-file, systemd EnvironmentFile

Rotation:

  • API tokens: quarterly
  • DB passwords: quarterly
  • Signing keys: on personnel change

Audit: any secret leak triggers rotation within 1 hour.

Authentication

  • Bearer tokens for API
  • OAuth2 (Telegram, etc) for user-facing bots
  • x402 micropayments for paid endpoints (signing via Solana/EVM wallet)

Authorization

  • RBAC for admin endpoints
  • Rate limiting per IP/token (sliding window)
  • Admin endpoints require cfg.admin_key check

Input Validation

  • Pydantic models for ALL API inputs (no dict/any types)
  • Length limits, regex validation, enum constraints
  • Reject any input containing mainnet addresses/keys (pre-commit hook)

Rate Limiting

  • Default: 60 req/min per IP
  • Burst: 100 req
  • Authenticated: 600 req/min
  • Returns 429 with Retry-After header

Dependencies

  • pip-audit weekly (CI)
  • safety check weekly (CI)
  • Renovate bot for auto-PR updates

Vulnerability Disclosure

Email: security@rugmunch.io (PGP key in gopass) Response within 24 hours. Patch within 7 days for critical, 30 days for medium.

Audit Log

Every state-changing action logged to:

  • app/state/audit/ (JSONL, append-only)
  • ClickHouse (analytics, 90-day retention)
  • WORM storage (R2 with object lock, 7-year retention)

Incident Response

  1. Detect (alert from monitoring)
  2. Contain (revoke compromised secrets, block IPs)
  3. Eradicate (patch vuln, deploy fix)
  4. Recover (verify systems clean, restore from backup if needed)
  5. Learn (post-mortem, update SECURITY.md)