SECURITY.md

# Security Policy

## Supported Versions

| Version | Supported |
|---------|-----------|
| 1.x     | ✅ Yes    |

## Reporting a Vulnerability

**Do NOT open a public issue for security vulnerabilities.**

Include:

- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)

We will respond within 48 hours and aim to patch critical issues within 7 days.

## Security Best Practices

### Secrets Management

- **Never commit secrets to git** — use HF Space secrets or environment variables
- `HF_TOKEN`: Store as HF Space secret, not in code
- `ANTHROPIC_API_KEY`, `LLM_API_KEY`: Same — HF Space secrets only
- `BETTER_AUTH_SECRET`: Generate strong random secret (`openssl rand -base64 32`)
- Rotate tokens if accidentally exposed

### Network Security

- `umask 0077` enforced at startup — all files created owner-only
- Cloudflare proxy uses shared secret for authentication
- No hardcoded credentials anywhere in codebase

### Database Security

- PostgreSQL runs locally inside container — not exposed externally
- HF Dataset backups are **private by default**
- Backup file contains all database data — protect your HF Dataset access

### API Security

- Paperclip API runs on port 3100 (internal only)
- Port 7861 exposes health dashboard and proxied access only
- Configure `BETTER_AUTH_SECRET` for production authentication
- Use `PAPERCLIP_DEPLOYMENT_MODE=authenticated` for public-facing deployments

### Container Security

- Based on `node:lts-trixie-slim` (minimal attack surface)
- No root process execution where avoidable
- Regular base image updates recommended

## Known Limitations

- HF Spaces free tier is public — anyone can access your Paperclip UI unless auth is configured
- Database backup stored in HF Dataset — ensure dataset is **private**
- Cloudflare Worker proxy can access proxied traffic — review before enabling