Overview
Security Documentation
This folder contains security architecture, cryptography, PKI, authentication, secret handling, and secure deployment guidance for Uptrakit.
Contents
| Document | Description |
|---|---|
| Security Architecture | Threat model and defense-in-depth principles. |
| Cryptography | Cryptographic primitives, key handling, and protocol-level crypto details. |
| PKI and Certificates | Managed CA lifecycle, certificate issuance, renewal, OCSP, and CRL behavior. |
| Auth and Authorization | Authentication flows, role/permission model, and auth middleware behavior. |
| Secrets and Encryption | Encryption-at-rest, master key handling, and secret redaction conventions. |
| TOFU and TLS | TOFU behavior and TLS trust bootstrap considerations. |
| Filesystem and Dependency Security | Filesystem permissions, hardening defaults, and dependency safeguards. |
| Secure Development | Secure coding expectations for contributors. |
| Reverse Proxy Security | Reverse proxy trust model, header validation, revocation strategy, and per-proxy guide links. |
| SSH Agent Secrets | SSH credential encryption, master key management, bootstrap security, and TOFU vs pinned fingerprints. |
| Sudoers Management | Per-command sudoers generation, sudo policy, detecting/persisting sudo state, and operator guidance. |
| Notification Subsystem Security | Secret storage, webhook HMAC signing, Telegram callback verification, action tokens, and tenant isolation. |
Related Documentation
- Top-level docs catalogue:
docs/README.md - End-user deployment guide:
docs/end-user/deployment/README.md - API and protocol docs:
docs/api/README.md - Development standards:
docs/development/README.md