PLANTSTACKS — ONE-PAGE SECURITY BRIEF
==================================

Deployment model
- Self-hosted on a single host you control (mini-PC, NUC, on-prem server, or VM).
- No mandatory external service. With the network unplugged it still authenticates
  users, serves the UI, and stores data. Suitable for air-gapped factory networks.

Network & transport
- TLS for all access; HTTP redirects to HTTPS; HSTS.
- One exposed surface (the edge). Core/data services bind to the private/loopback
  network and are never published.
- Per-route rate limiting and IP allow/deny lists at the edge.

Authentication & access
- Local accounts with modern password hashing (scrypt), lockout/back-off.
- Optional two-factor (TOTP authenticator + recovery codes), enforceable per role.
- Optional SSO (OIDC/SAML/LDAP) with a local break-glass admin retained.
- Role-based access control, deny-by-default, enforced at every layer (edge,
  gateway, service, data) — a crafted API call cannot bypass a hidden UI control.

Data
- Encryption in transit everywhere; optional encryption at rest for database,
  files, and backups.
- Each feature owns its own data namespace (least privilege between features).
- Automatic, integrity-checked, encrypted backups with one-click restore.

Audit & integrity
- Append-only, hash-chained, tamper-evident audit log. Any modification breaks the
  chain and is detected. Separation of duties: auditors read but cannot alter.

Licensing privacy (no phone-home)
- Subscriptions are enforced by a cryptographically SIGNED license file, verified
  LOCALLY against the vendor's public key embedded in the build. No data is sent to
  the vendor to validate a license. Optional online renewal is strictly opt-in.
- Expiry never destroys data or blocks login to the core; features pause until
  renewed.

Secrets
- Generated uniquely at install; never shipped, never in source. No default
  passwords. Rotatable.

Contact: security@plantstacks.com