merge: chore/cleanup-remove-bloat-and-secrets into main

This commit is contained in:
Crypto Rug Munch 2026-07-02 01:24:22 +07:00
commit bde2f3a97d
1173 changed files with 437609 additions and 0 deletions

98
SECURITY_STACK.md Normal file
View file

@ -0,0 +1,98 @@
# RugMunch Intelligence — Security Stack Summary
# Generated: 2026-05-08
# WARNING: This file describes the security tooling deployed on this host.
# Do NOT share externally — contains system architecture details.
# Access: chmod 600, root-only.
══════════════════════════════════════════════════════════════════
INSTALLED OPEN-SOURCE SECURITY TOOLS
══════════════════════════════════════════════════════════════════
SAST (Static Analysis):
bandit 1.9.4 Python security linter → pipx install bandit
semgrep 1.162.0 Cross-language static analysis → pipx install semgrep
Secret Detection:
gitleaks 8.25.1 Git + filesystem secret scanning → binary download
Dependency Scan:
pip-audit 2.10.0 PyPI vulnerability audit → pipx install pip-audit
Container Scanning:
trivy 0.70.0 Container + filesystem + secrets → binary download
IPS / WAF:
crowdsec 1.7.7 Collaborative intrusion detection → apt install
fail2ban active IP-based brute-force blocker → apt install
Pre-commit:
pre-commit 4.6.0 Git hook automation → pipx install pre-commit
══════════════════════════════════════════════════════════════════
NEW FILES CREATED
══════════════════════════════════════════════════════════════════
/srv/rmi/backend/.bandit.yaml Bandit config (excludes B105/B311 false-posit, dirs)
/srv/rmi/backend/.gitleaks.toml Gitleaks allowlist (public SOL addresses + static/)
/srv/rmi/backend/.trivyignore Trivy ignore (investigation evidence files)
/srv/rmi/backend/.pre-commit-config.yaml Pre-commit: bandit + gitleaks + isort + black + pip-audit
/srv/rmi/backend/run-security.sh Full security suite runner
/srv/rmi/backend/tmp/ fail2ban templates + GitHub Actions template
══════════════════════════════════════════════════════════════════
CODE FIXES APPLIED
══════════════════════════════════════════════════════════════════
DOCKERFILE:
- FROM python:3.12-slim (was 3.11)
- Added non-root `rmi` user + USER rmi
- Upgraded known-vulnerable packages: jaraco.context + wheel
CODE (md5 → sha256 - CWE-327):
app/fallback_engine.py:83 Cache key hash
app/routers/news_feed.py:237 Article deduplication hash
app/routers/rugmaps.py:462 Token cluster seed
app/routers/social.py:435 Like hash
app/rugmaps_analyzer.py:99 Analyzer seed
BUG FIXES:
app/routers/daily_briefing.py:280 Fixed unterminated string literal syntax error
══════════════════════════════════════════════════════════════════
SCAN RESULTS (latest run)
══════════════════════════════════════════════════════════════════
Bandit: 0 HIGH, 42 MEDIUM (excludes B105 false-positives)
Semgrep: 4 findings (2 INFO + 2 WARNING — all in x402-gateway/*.ts, not backend)
pip-audit: 0 known dependency vulnerabilities
Gitleaks: 0 leaks (after allowlist for public SOL addresses + dist/)
Trivy fs: 0 HIGH/CRITICAL (after .trivyignore for investigation evidence)
══════════════════════════════════════════════════════════════════
MANUAL DEPLOY STEPS
══════════════════════════════════════════════════════════════════
Deploy fail2ban API abuse protection:
sudo cp /srv/rmi/backend/tmp/rmi-api.conf /etc/fail2ban/filter.d/rmi-api.conf
sudo cp /srv/rmi/backend/tmp/rmi-api-jail.conf /etc/fail2ban/jail.d/rmi-api.conf
sudo systemctl restart fail2ban
Deploy GitHub Actions when repo hooks up:
mkdir -p .github/workflows
cp /srv/rmi/backend/tmp/github-workflow.yml .github/workflows/security.yml
══════════════════════════════════════════════════════════════════
COMMAND REFERENCE
══════════════════════════════════════════════════════════════════
Quick scan: cd /srv/rmi/backend && ./run-security.sh
Full scan: cd /srv/rmi/backend && ./run-security.sh --full
Bandit only: bandit -r app/ -c .bandit.yaml
Semgrep only: semgrep --config=auto
pip-audit: pip-audit -r requirements.txt
Gitleaks: gitleaks detect --source . --no-git --config .gitleaks.toml
Trivy fs: trivy fs --scanners vuln,secret,misconfig .
Trivy image: trivy image --severity HIGH,CRITICAL rmi-backend:latest
Pre-commit: pre-commit run --all-files
CrowdSec stats: cscli metrics + cscli decisions list
Fail2ban ban: sudo fail2ban-client status rmi-api