refactor: finalize documentation overhaul

- Refactor specialized docs for conciseness and clarity - Rename files to UPPER_CASE.md convention - Verify accuracy against codebase - Fix broken links
2026-04-28 03:20:11 +00:00 · 2025-11-25 00:45:20 +00:00 · 2025-11-25 00:45:20 +00:00 · fd39196166
commit fd39196166
parent 8464a69abe
25 changed files with 492 additions and 3557 deletions
--- a/docs/security/TEMPERATURE_MONITORING.md
+++ b/docs/security/TEMPERATURE_MONITORING.md
@ -0,0 +1,31 @@
+# 🌡️ Temperature Monitoring Security
+
+Secure architecture for collecting hardware temperatures.
+
+## 🛡️ Security Model
+*   **Isolation**: SSH keys live on the host, not in the container.
+*   **Least Privilege**: Proxy runs as `pulse-sensor-proxy` (no shell).
+*   **Verification**: Container identity verified via `SO_PEERCRED`.
+
+## 🏗️ Components
+1.  **Pulse Backend**: Connects to Unix socket `/mnt/pulse-proxy/pulse-sensor-proxy.sock`.
+2.  **Sensor Proxy**: Validates request, executes SSH to node.
+3.  **Target Node**: Accepts SSH key restricted to `sensors -j`.
+
+## 🔒 Key Restrictions
+SSH keys deployed to nodes are locked down:
+```
+command="sensors -j",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
+```
+
+## 🚦 Rate Limiting
+*   **Per Peer**: ~12 req/min.
+*   **Concurrency**: Max 2 parallel requests per peer.
+*   **Global**: Max 8 concurrent requests.
+
+## 📝 Auditing
+All requests logged to system journal:
+```bash
+journalctl -u pulse-sensor-proxy
+```
+Logs include: `uid`, `pid`, `method`, `node`, `correlation_id`.