This document outlines security considerations and best practices for the Coreflux MCP Server.

The server implements comprehensive log sanitization to prevent sensitive information from being exposed in log files:

• API Keys and Tokens: All API keys, bearer tokens, and authentication tokens are automatically redacted
• Passwords: All password fields are sanitized regardless of format
• Certificates: Certificate content and file paths are redacted
• File Paths: Sensitive file paths are obfuscated
• URLs with Credentials: URLs containing credentials are sanitized

The following patterns are automatically detected and sanitized:

• Bearer <token> → Bearer [REDACTED]
• api_key: <value> → api_key: [REDACTED]
• password: <value> → password: [REDACTED]
• Certificate content → [CERTIFICATE REDACTED]
• File paths → [FILE PATH REDACTED]

Always use environment variables or .env files for sensitive configuration:

# Good
MQTT_PASSWORD=secret_password
DO_AGENT_API_KEY=your_api_key

# Bad - don't hardcode in source
mqtt_password = "secret_password"

When using TLS for MQTT connections:

1. Use strong certificates: Ensure certificates are from trusted CAs
2. Secure certificate storage: Store certificates outside the application directory
3. File permissions: Restrict certificate file permissions (600 or 400)
4. Certificate rotation: Implement regular certificate rotation

When running in Docker:

1. Non-root user: The container runs as a non-root user (mcpserver)
2. Read-only certificates: Certificate volumes are mounted read-only
3. Resource limits: Memory and CPU limits are enforced
4. Security scanning: Regularly scan the Docker image for vulnerabilities

1. Use TLS: Always use TLS in production environments
2. Authentication: Use strong MQTT credentials
3. Client certificates: Consider client certificate authentication for enhanced security
4. Network isolation: Run MQTT broker in isolated network segments

Configure firewall rules to restrict access:

• MQTT port (1883/8883): Only from authorized networks
• MCP Server: Only accessible from Claude Desktop or authorized clients

1. API Key Protection: Store API keys securely using environment variables
2. Rate Limiting: Be aware of API rate limits
3. Request Validation: All API requests are validated before sending
4. Error Handling: API errors are logged without exposing sensitive details

• Use environment variables for all sensitive configuration
• Enable TLS for MQTT connections
• Use strong, unique passwords
• Implement proper certificate management
• Configure appropriate log levels (INFO or WARNING in production)
• Set up log rotation and retention policies
• Enable container security scanning
• Use secrets management for production deployments
• Implement network segmentation
• Regular security updates

For production deployments, consider using:

• Docker Secrets
• Kubernetes Secrets
• HashiCorp Vault
• Cloud provider secret managers (AWS Secrets Manager, Azure Key Vault, etc.)

1. Log Analysis: Monitor logs for authentication failures and suspicious activity
2. Connection Monitoring: Track MQTT connection patterns
3. API Usage: Monitor Coreflux Copilot API usage for anomalies
4. Health Checks: Implement comprehensive health monitoring

1. Log Retention: Maintain logs for forensic analysis
2. Alerting: Set up alerts for security events
3. Containment: Have procedures for isolating compromised systems
4. Recovery: Implement backup and recovery procedures

If you discover a security vulnerability, please:

1. Do not open a public issue
2. Contact the maintainers privately
3. Provide detailed information about the vulnerability
4. Allow time for the issue to be addressed before public disclosure

• Regularly update dependencies using pip install -r requirements.txt --upgrade
• Monitor security advisories for used packages
• Update base Docker images regularly
• Subscribe to security notifications for Coreflux and related components