# Security

HoopScout is initially intended for local or restricted-network use by a small private group.

## Authentication and Authorization

- API endpoints require an authenticated Django user.
- Django admin is enabled for controlled data management.
- Users have a profile role: `admin`, `scout`, or `viewer`.
- Role-specific authorization is not enforced beyond authentication in the MVP.

## Network Exposure

Local Compose exposes:

- backend on `8000`;
- frontend on `4200`;
- PostgreSQL only inside the Compose network.

## Secrets

`.env.example` contains placeholders only. Real local values must be stored in `.env`, which is ignored by Git.

## Containers

Backend and frontend containers run as non-root users. PostgreSQL uses the official image defaults and a named volume.

## Data Sources

The repository does not include credentials, scraping logic, or copied external datasets. RealGM, Proballers, and other provider data must be integrated only through authorized APIs or a documented compliant import process.

## Known Dependency Findings

`npm audit` reports moderate vulnerabilities through `webpack-dev-server -> sockjs -> uuid` in the Angular development toolchain, with no available fix at the time of implementation. The dev server is intended for local restricted use only and must not be exposed publicly.