Skip to content

Add security documentation for credentials and deployment#2696

Merged
jmthomas merged 2 commits intomainfrom
document-env-passwords-2538
Jan 7, 2026
Merged

Add security documentation for credentials and deployment#2696
jmthomas merged 2 commits intomainfrom
document-env-passwords-2538

Conversation

@jmthomas
Copy link
Copy Markdown
Member

@jmthomas jmthomas commented Dec 31, 2025
edited
Loading

Summary

  • Create new security.md page in the public documentation covering security boundaries, all backend credentials, users.acl file, and deployment security recommendations
  • Update installation.md to link to the new security documentation
  • This provides a single authoritative source for credential documentation that the project repos can link to

Closes #2538
Closes https://github.com/OpenC3/cosmos-enterprise/issues/298

See OpenC3/cosmos-project#32
See https://github.com/OpenC3/cosmos-enterprise-project/pull/29

🤖 Generated with Claude Code

@jmthomas @claude
Add security documentation for credentials and deployment
09ca75b 
- Create new security.md page documenting:
  - Security boundaries (Docker network, host, network configuration)
  - All backend credentials (Redis, MinIO, SERVICE_PASSWORD, SECRET_KEY_BASE)
  - users.acl file format and relationship to .env
  - Step-by-step instructions for changing passwords
  - Security recommendations for production deployments
  - Frontend vs backend authentication distinction

- Update installation.md to link to new security documentation

Closes #2538

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@codecov
Copy link
Copy Markdown

codecov bot commented Dec 31, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.24%. Comparing base (6f3cda6) to head (3f573fa).
⚠️ Report is 39 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2696      +/-   ##
==========================================
- Coverage   79.31%   79.24%   -0.07%     
==========================================
  Files         662      664       +2     
  Lines       52588    52823     +235     
  Branches      734      734              
==========================================
+ Hits        41708    41858     +150     
- Misses      10800    10885      +85     
  Partials       80       80
Flag Coverage Δ
python 81.16% <ø> (-0.23%) ⬇️
ruby-api 84.76% <ø> (ø)
ruby-backend 82.15% <ø> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

clayandgen
clayandgen reviewed Jan 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@clayandgen clayandgen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I briefly mention using a dynamic secret manager in https://docs.openc3.com/docs/guides/scripting-api#initialize_offline_access, I'm curious if we'd like to add something about that here as well

docs.openc3.com/docs/getting-started/security.md Outdated

By default, COSMOS only listens on localhost (127.0.0.1). This configuration keeps COSMOS completely off the network and is only vulnerable to local users of the host computer.

For production use, it is recommended to open COSMOS to the network and run clients from other machines. This removes browser load from the host computer and allows better securing of the host. See [SSL/TLS](../configuration/ssl-tls) for configuring HTTPS.
Copy link
Copy Markdown
Contributor

@clayandgen clayandgen Jan 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe the network and clients should be a bit more specific here, this sentence isn't very intuitive to me

@jmthomas jmthomas merged commit 1c12887 into main Jan 7, 2026
28 checks passed
@jmthomas jmthomas deleted the document-env-passwords-2538 branch January 7, 2026 21:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clayandgen clayandgen clayandgen left review comments

@ryan-pratt ryan-pratt ryan-pratt approved these changes

@ryanmelt ryanmelt Awaiting requested review from ryanmelt

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Elaboration on the .env and users.acl passwords

3 participants

@jmthomas @clayandgen @ryan-pratt