# Security Scan Report — 2026-02-26

## Summary

| Check | Result | Severity |
|-------|--------|----------|
| npm audit (the-50-dollar-app) | ✅ 0 vulnerabilities | OK |
| Exposed ports | ⚠️ Port 8765 (voice-assistant) externally bound | MEDIUM |
| Firewall | ❌ UFW inactive, iptables ACCEPT-all | HIGH |
| Service permissions | ⚠️ All 8 agents run as root | MEDIUM |
| World-readable secrets | ⚠️ Several .env files at 644/664 | MEDIUM |

## Findings

### 1. npm audit — CLEAN ✅
`the-50-dollar-app`: 0 vulnerabilities found.

### 2. Exposed Ports — ISSUE ⚠️
**Expected external:** 22 (SSH), 80 (nginx), 443 (nginx), 3000 (Next.js via nginx)
**Unexpected:** 
- **Port 8765** — Voice assistant (Python WebSocket) bound to `0.0.0.0:8765`. Externally reachable. Running as root since Feb 17. This is a potential attack surface — unauthenticated WebSocket endpoint.
- Tailscale ports (44606, 48780) — expected, Tailscale-managed.

Agent ports (18789-18812) are bound to `[::1]` (localhost only) — ✅ correct.

### 3. Firewall — CRITICAL ❌
- **UFW is INACTIVE.** No firewall rules enforced.
- **iptables INPUT policy is ACCEPT.** Only Tailscale chain (`ts-input`) is present.
- This means ALL ports bound to 0.0.0.0 are reachable from the internet. Port 8765 and any future services are exposed by default.

**Recommendation:** Enable UFW with allow rules for 22, 80, 443 only. This blocks 8765 and any future accidentally-exposed services.
```
sudo ufw default deny incoming
sudo ufw allow 22/tcp
sudo ufw allow 80/tcp  
sudo ufw allow 443/tcp
sudo ufw enable
```

### 4. Service Permissions — ADVISORY ⚠️
All 8 Clawdbot agents run as `root` with no systemd hardening:
- `ProtectHome=no`
- `ProtectSystem=no`
- `NoNewPrivileges=no`

Only `rateright-app` runs as `ccuser` (good).

**Risk:** If any agent is compromised, attacker has full root access. This is acceptable for now given the VPS is single-purpose, but worth hardening later.

### 5. World-Readable Secrets — ISSUE ⚠️
Several .env files with secrets are world-readable (644 or 664):
- `/home/ccuser/rateright-growth/voice-assistant/.env` (644, root) — likely contains API keys
- `/home/ccuser/rateright-growth/phone-ai/.env` (644, root)
- `/home/ccuser/rateright-growth/admin/.env` (664, ccuser)
- `/home/ccuser/the-50-dollar-app/.env.local` (644, ccuser)
- Various backup .env files at 644

**Good:** `/home/ccuser/rateright-growth/.env` is 600 ✅, `/root/.rivet.env` is 600 ✅

**Recommendation:** `chmod 600` on all .env files containing secrets.

## Priority Actions
1. **Enable UFW** — blocks port 8765 and future accidental exposures (needs Michael approval — firewall change)
2. **Fix .env permissions** — `chmod 600` on world-readable .env files (low risk, can do now)
3. **Bind voice-assistant to localhost** — if only used internally, change to 127.0.0.1:8765

---
*Generated by Sentinel — 2026-02-26T22:10+11:00*
