Refs #54
Location
README.md — Grafana import section (3-step instructions)
Problem
The README instructs operators to add a Prometheus data source pointing to http://:9091/metrics with a 10-second scrape interval. Issues #213 (default bind 0.0.0.0:9091 exposes metrics publicly) and #214 (no auth on /metrics) are still open and unresolved from PR #50.
By shipping this documentation, the README is now officially endorsing and guiding operators toward connecting to an unauthenticated, publicly-bound metrics endpoint. Any operator following the quickstart step-by-step will:
- Configure Prometheus to scrape 0.0.0.0:9091 with no auth
- Import a dashboard that displays profit histograms, git_sha (via build_info panel), queue depth, and simulation results
This codifies the security gap from PR #50 into the operator playbook.
Impact
Operators following the documented quickstart expose bot profit metrics, git commit SHA, and queue depth to anyone with network access to port 9091. On a VPS (Hetzner CX22 is the stated target), this means public internet exposure.
Suggested Fix
Add a warning to the import section noting that the metrics endpoint must be bound to 127.0.0.1 (not 0.0.0.0) before setting up external scraping, and that auth should be configured before exposing to Prometheus. Gate this README section on issues #213 and #214 being resolved, or include a prominent security note inline.
Refs #54
Location
README.md — Grafana import section (3-step instructions)
Problem
The README instructs operators to add a Prometheus data source pointing to http://:9091/metrics with a 10-second scrape interval. Issues #213 (default bind 0.0.0.0:9091 exposes metrics publicly) and #214 (no auth on /metrics) are still open and unresolved from PR #50.
By shipping this documentation, the README is now officially endorsing and guiding operators toward connecting to an unauthenticated, publicly-bound metrics endpoint. Any operator following the quickstart step-by-step will:
This codifies the security gap from PR #50 into the operator playbook.
Impact
Operators following the documented quickstart expose bot profit metrics, git commit SHA, and queue depth to anyone with network access to port 9091. On a VPS (Hetzner CX22 is the stated target), this means public internet exposure.
Suggested Fix
Add a warning to the import section noting that the metrics endpoint must be bound to 127.0.0.1 (not 0.0.0.0) before setting up external scraping, and that auth should be configured before exposing to Prometheus. Gate this README section on issues #213 and #214 being resolved, or include a prominent security note inline.