Junie: security cleanups.

docs/overview.org

@@ -11,10 +11,10 @@ The system currently provides:
 1. User password authentication
 2. User token authentication
 3. Database credential authentication
+4. TOTP (Time-based One-Time Password) authentication
 
 Future planned features include:
-1. TOTP (Time-based One-Time Password) authentication
-2. Policy management for fine-grained access control
+1. Policy management for fine-grained access control
 
 ** System Architecture
 
@@ -57,7 +57,8 @@ CREATE TABLE users (
        created	integer,
        user	text not null,
        password	blob not null,
-       salt	blob not null
+       salt	blob not null,
+       totp_secret text
 );
 #+end_src
 
@@ -108,6 +109,24 @@ CREATE TABLE user_roles (
 );
 #+end_src
 
+*** Permissions Tables
+#+begin_src sql
+CREATE TABLE permissions (
+    id TEXT PRIMARY KEY,
+    resource TEXT NOT NULL,
+    action TEXT NOT NULL,
+    description TEXT
+);
+
+CREATE TABLE role_permissions (
+    id TEXT PRIMARY KEY,
+    rid TEXT NOT NULL,
+    pid TEXT NOT NULL,
+    FOREIGN KEY(rid) REFERENCES roles(id),
+    FOREIGN KEY(pid) REFERENCES permissions(id)
+);
+#+end_src
+
 ** Security Considerations
 
 MCIAS implements several security best practices:
@@ -130,4 +149,4 @@ MCIAS implements several security best practices:
 
 4. *Database Security*
    - Parameterized queries to prevent SQL injection
-   - Foreign key constraints to maintain data integrity
+   - Foreign key constraints to maintain data integrity