Local changes: Updated model training, removed debug instrumentation, and configuration improvements

2025-12-26 01:15:43 -05:00
commit cc60da49e7
388 changed files with 57127 additions and 0 deletions
--- a/docs/architecture/security.md
+++ b/docs/architecture/security.md
@@ -0,0 +1,135 @@
+# Security Architecture
+
+This document describes the security architecture of Crypto Trader.
+
+## Security Layers
+
+```
+Application Layer
+    ├──► API Key Encryption
+    ├──► Permission Management
+    └──► Audit Logging
+            │
+            ▼
+Storage Layer
+    ├──► Encrypted Storage
+    └──► Secure Key Management
+```
+
+## API Key Encryption
+
+### Encryption Process
+
+```
+Plain API Key
+    │
+    ▼
+Fernet Encryption
+    │
+    ▼
+Encrypted Key (Stored in Database)
+```
+
+### Key Management
+
+- **Encryption Key**: Stored securely (environment variable or keyring)
+- **Key Generation**: Automatic on first use
+- **Key Rotation**: Manual rotation process
+
+## Permission Management
+
+### Permission Levels
+
+- **Read-Only**: Data collection, backtesting only
+- **Trading Enabled**: Full trading capabilities
+
+### Permission Enforcement
+
+```
+API Request
+    │
+    ▼
+Permission Check
+    │
+    ├──► Read-Only Request
+    │         │
+    │         └──► Allow (read operations)
+    │
+    └──► Trading Request
+            │
+            ├──► Trading Enabled?
+            │         │
+            │         ├──► Yes: Allow
+            │         └──► No: Reject
+```
+
+## Secure Storage
+
+### Keyring Integration
+
+- **Linux**: Secret Service (GNOME Keyring)
+- **macOS**: Keychain
+- **Windows**: Windows Credential Manager
+
+### Fallback Storage
+
+If keyring unavailable:
+- Environment variable (development only)
+- Encrypted file with user permission
+
+## Audit Logging
+
+All security events are logged:
+
+- API key changes
+- Permission changes
+- Trading operations
+- Configuration changes
+- Error events
+
+### Audit Log Format
+
+```python
+{
+    "timestamp": "2025-12-13T19:00:00Z",
+    "event_type": "API_KEY_CHANGED",
+    "user_id": "system",
+    "details": {
+        "exchange": "coinbase",
+        "action": "updated"
+    }
+}
+```
+
+## Data Privacy
+
+- **Local Storage**: All data stored locally
+- **No Telemetry**: No data sent externally
+- **Encryption**: Sensitive data encrypted at rest
+- **Access Control**: File system permissions
+
+## Best Practices
+
+1. **Use Read-Only Keys**: When possible, use read-only API keys
+2. **IP Whitelisting**: Enable IP whitelisting on exchange accounts
+3. **Regular Rotation**: Rotate API keys periodically
+4. **Secure Environment**: Keep encryption keys secure
+5. **Audit Review**: Regularly review audit logs
+
+## Threat Model
+
+### Threats Addressed
+
+- **API Key Theft**: Encryption at rest
+- **Unauthorized Trading**: Permission checks
+- **Data Breach**: Local storage, encryption
+- **Man-in-the-Middle**: HTTPS for API calls
+- **Key Logging**: Secure keyring storage
+
+### Security Boundaries
+
+- **Application Boundary**: Application code
+- **Storage Boundary**: Encrypted database
+- **Network Boundary**: Secure API connections
+- **System Boundary**: File system permissions
+