ksmith/OrbitWard
1
0
Fork 0
Code Issues 12 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a707186a5eee5e0df0a1354305307259205ffd55
OrbitWard/docs/security.md
T
Keith Smith a707186a5e Initial InfraPulse scaffold
2026-05-22 17:36:40 -06:00

1.2 KiB
Raw Blame History

Security

InfraPulse must be secure from the beginning because it will store infrastructure credentials.

Authentication

The initial implementation supports local username/password login with hashed passwords and JWT bearer tokens. Dashboard and API access must not be available anonymously.

Initial roles:

  • Viewer: can view dashboards, assets, monitors, graphs, and alerts.
  • Operator: can acknowledge alerts, silence alerts, and manage incidents.
  • Admin: can manage assets, monitors, credentials, notification channels, and alert rules.
  • Owner: can manage users, roles, global settings, and authentication settings.

Credential Storage

Credential records are modeled separately from monitors and assets. Secret fields must be encrypted at rest before real credential storage is enabled. Stored secret values must never be returned to the frontend after creation.

Rules:

  • Use INFRAPULSE_SECRET_KEY from the environment.
  • Never log secrets.
  • Mask saved secrets in the UI.
  • Audit credential create, update, and delete events.
  • Prefer read-only API tokens and least-privileged credentials.

Future Authentication

Planned future options include LDAP/Active Directory login, OIDC, SAML if needed, and API tokens.

Reference in New Issue View Git Blame Copy Permalink