sync: update from private repo (0844939)

.dockerignore

@@ -14,8 +14,11 @@ ui/dist
 vendor
 
 .env
+.env.*
 config.yaml
 data
+data/secrets
+data/tls
 input
 logs
 output

.gitignore

@@ -4,6 +4,8 @@ __pycache__/
 dist/
 data/
 .env
+.env.*
+!.env.example
 config.yaml
 .superpowers/
 *.db
@@ -15,7 +17,6 @@ logs/
 .worktrees/
 .claude/
 .playwright-mcp/
-.superpowers/
 # Agent skill installs (modern-web-guidance etc. via `skills add`) — local tooling,
 # not project source.
 .agents/
@@ -23,7 +24,6 @@ skills-lock.json
 orch.pid
 .server.pid
 src/generated/
-.worktrees/
 vendor/
 # Added by code-review-graph
 .code-review-graph/

SECURITY.md

@@ -24,3 +24,35 @@ it as a privileged service:
   outside the repository and rotate them after suspected exposure.
 - Restrict `/metrics` with a bearer token or an explicit source-IP allowlist.
 - Review enabled tools and integrations before granting access to untrusted users.
+
+## Secrets and Data
+
+MAESTRO generates and stores several secrets. All of them live under the
+runtime data directory and are created with restrictive permissions:
+
+| Secret | Default location | Mode |
+|--------|------------------|------|
+| Master encryption key (envelope encryption for MCP/SSH credentials) | `data/secrets/master.key` | `0600` |
+| MCP credential key | `data/secrets/mcp.key` | `0600` |
+| Session secret (signs login cookies; auto-generated when `auth.session_secret` is unset) | `data/secrets/session-secret.key` | `0600` |
+| Web Push (VAPID) keypair | `data/secrets/vapid.json` | `0600` |
+| Self-signed TLS material | `data/tls/` | `0600` keys |
+
+`config.yaml` may hold a provider `api_key`, so the setup tooling writes it
+`0600`. These paths are excluded from version control (`.gitignore`) and from
+the Docker build context (`.dockerignore`); never commit them or bake them into
+an image.
+
+Operational guidance:
+
+- **Set a stable `auth.session_secret`** (or rely on the persisted
+  `data/secrets/session-secret.key`) so restarts don't invalidate sessions; in a
+  multi-node deployment, share the same secret across nodes.
+- **The data directory is sensitive.** Back it up with the same care as a
+  password store; restrict filesystem access to the service user.
+- **Core dumps are excluded** from the repository because they can contain the
+  decrypted master key, SSH private keys, and the session secret in process
+  memory. Keep them out of any artifact you share.
+- **Rotate after suspected exposure** and review the audit log.
+- Sensitive values are masked in the Settings UI and the config API responses;
+  do not paste unmasked secrets into issues or logs.