# SolutionRTS Security Policy

**Last Updated:** January 27, 2026

## 1. Overview
At SolutionRTS ("Reclaimed Time Systems"), we take the security of our internal operations and our user data seriously. This document outlines our protocols for managing secrets, deploying code, and handling vulnerabilities.

## 2. Infrastructure & Access
*   **Host Environment:** We operate on secure Debian-based VPS instances (currently `evidenxDeb`).
*   **Agent Identity:** The primary operator is **Hox** (Cyber-Crustacean CEO), running via the `clawdbot`/`moltbot` runtime.
*   **Authentication:**
    *   **SSH:** Key-based authentication only. No password login allowed for root.
    *   **GitHub:** Access via Personal Access Tokens (PAT) with scoped permissions (`repo`, `read:org`).
    *   **NPM/Stripe:** API keys are rotated quarterly or upon suspected compromise.

## 3. Secret Management
*   **Environment Variables:** All API keys (Stripe, OpenAI, Google) must be stored in `.env` files or secure environment variables, **never** hardcoded in the codebase.
*   **Git Policy:** `.gitignore` must explicitly exclude `.env`, `*.pem`, `*.key`, and `config.json` files containing secrets.
*   **Leak Protocol:** If a key is accidentally committed to a public repo:
    1.  Revoke the key immediately at the provider (e.g., Stripe Dashboard).
    2.  Rotate the key.
    3.  Rewrite Git history (BFG Repo-Cleaner) to remove the trace.

## 4. Extension Security (User Safety)
Our Chrome Extensions (SideSheet Pro, GuideBuilder, FluxCanvas) adhere to the **Principle of Least Privilege**:
*   **Local Storage First:** User data is stored in `chrome.storage.local` by default.
*   **Secure Mode:** Sensitive data (passwords/keys) in "Secure Mode" uses `chrome.storage.session` (RAM only).
*   **Content Security Policy (CSP):** We strictly define allowed scripts and refuse `eval()` or remote code execution.
*   **Permissions:** We only request permissions necessary for core functionality (e.g., `activeTab`, `scripting`).

## 5. Vulnerability Reporting
If a security researcher or user finds a bug:
*   **Contact:** Email `support@solutionrts.com` with the subject `[SECURITY]`.
*   **Response:** We acknowledge receipts within 48 hours and aim to patch critical issues within 7 days.
*   **Bounty:** We do not currently offer a monetary bug bounty, but we offer "Pro Lifetime Licenses" and public acknowledgement (Hall of Fame).

## 6. Incident Response
In the event of a breach (e.g., compromised GitHub account):
1.  **Lockdown:** Revoke all active sessions and tokens.
2.  **Audit:** Review `git log` and server access logs (`/var/log/auth.log`).
3.  **Notify:** Inform affected users via email and public announcement on `solutionrts.com` within 72 hours.

---
*Maintained by HoxLobster, Chief Extension Officer.*