feat: bootstrap HoopScout scouting app

2026-06-03 21:37:15 +02:00
parent c4b1b6ee15
commit cc188468bc
52 changed files with 14505 additions and 126 deletions
@@ -1,16 +1,34 @@
 # Security

-Describe security assumptions and controls.
+HoopScout is initially intended for local or restricted-network use by a small private group.

-Include:
+## Authentication and Authorization

- authentication;
- authorization;
- network exposure;
- TLS/certificates;
- secrets management;
- logging of sensitive data;
- container privileges;
- filesystem permissions;
- dependency management;
- relevant ADRs.
+- API endpoints require an authenticated Django user.
+- Django admin is enabled for controlled data management.
+- Users have a profile role: `admin`, `scout`, or `viewer`.
+- Role-specific authorization is not enforced beyond authentication in the MVP.
+
+## Network Exposure
+
+Local Compose exposes:
+
+- backend on `8000`;
+- frontend on `4200`;
+- PostgreSQL only inside the Compose network.
+
+## Secrets
+
+`.env.example` contains placeholders only. Real local values must be stored in `.env`, which is ignored by Git.
+
+## Containers
+
+Backend and frontend containers run as non-root users. PostgreSQL uses the official image defaults and a named volume.
+
+## Data Sources
+
+The repository does not include credentials, scraping logic, or copied external datasets. RealGM, Proballers, and other provider data must be integrated only through authorized APIs or a documented compliant import process.
+
+## Known Dependency Findings
+
+`npm audit` reports moderate vulnerabilities through `webpack-dev-server -> sockjs -> uuid` in the Angular development toolchain, with no available fix at the time of implementation. The dev server is intended for local restricted use only and must not be exposed publicly.