Junie: security cleanups.

docs/installation.org

@@ -31,7 +31,7 @@ go mod download
 MCIAS uses SQLite for data storage. To initialize the database:
 
 #+begin_src bash
-go run main.go -init -db ./mcias.db
+go run cmd/mcias/main.go init --db ./mcias.db
 #+end_src
 
 This command creates a new SQLite database file and initializes it with the schema defined in =schema.sql=.
@@ -43,37 +43,76 @@ This command creates a new SQLite database file and initializes it with the sche
 To start the MCIAS server with default settings:
 
 #+begin_src bash
-go run main.go -db ./mcias.db
+go run cmd/mcias/main.go server --db ./mcias.db
 #+end_src
 
 By default, the server listens on port 8080.
 
 *** Configuration Options
 
-MCIAS supports the following command-line options:
+MCIAS supports the following command-line options for the server:
 
-- =-db <path>=: Path to the SQLite database file (default: =mcias.db=)
-- =-addr <address>=: Address to listen on (default: =:8080=)
-- =-init=: Initialize the database and exit
+- =--db <path>=: Path to the SQLite database file (default: =mcias.db=)
+- =--addr <address>=: Address to listen on (default: =:8080=)
 
 Example with custom port:
 
 #+begin_src bash
-go run main.go -db ./mcias.db -addr :9000
+go run cmd/mcias/main.go server --db ./mcias.db --addr :9000
+#+end_src
+
+** Managing Users and Authentication
+
+*** Adding a New User
+
+To add a new user to the system:
+
+#+begin_src bash
+go run cmd/mcias/main.go user add --username <username> --password <password>
+#+end_src
+
+*** Managing TOTP Authentication
+
+To enable TOTP for a user:
+
+#+begin_src bash
+go run cmd/mcias/main.go totp enable --username <username>
+#+end_src
+
+This will generate a TOTP secret for the user and display it. The user should save this secret in their authenticator app.
+
+To add a TOTP token with QR code generation:
+
+#+begin_src bash
+go run cmd/mcias/main.go totp add --username <username> --qr-output <path/to/qrcode.png>
+#+end_src
+
+To validate a TOTP code:
+
+#+begin_src bash
+go run cmd/mcias/main.go totp validate --username <username> --code <totp_code>
 #+end_src
 
 ** Building from Source
 
-To build a binary:
+To build the server binary:
 
 #+begin_src bash
+cd cmd/mcias
 go build -o mcias
 #+end_src
 
 Then run the binary:
 
 #+begin_src bash
-./mcias -db ./mcias.db
+./mcias server --db ./mcias.db
+#+end_src
+
+To build the client binary:
+
+#+begin_src bash
+cd cmd/mcias-client
+go build -o mcias-client
 #+end_src
 
 ** Development
@@ -128,6 +167,32 @@ curl -X POST http://localhost:8080/v1/login/token \
   }'
 #+end_src
 
+*** Authentication with TOTP
+
+To authenticate a user with a password and TOTP code:
+
+#+begin_src bash
+curl -X POST http://localhost:8080/v1/login/totp \
+  -H "Content-Type: application/json" \
+  -d '{
+    "version": "v1",
+    "login": {
+      "user": "username",
+      "password": "password",
+      "totp": "123456"
+    }
+  }'
+#+end_src
+
+*** Retrieving Database Credentials
+
+To retrieve database credentials:
+
+#+begin_src bash
+curl -X GET "http://localhost:8080/v1/database/credentials?username=username" \
+  -H "Authorization: Bearer your_token"
+#+end_src
+
 ** Troubleshooting
 
 *** Common Issues
@@ -170,4 +235,4 @@ go run main.go -db ./mcias.db > mcias.log 2>&1
 3. *User Management*:
    - Implement strong password policies
    - Regularly rotate tokens
-   - Monitor for suspicious authentication attempts
+   - Monitor for suspicious authentication attempts