• Docker socket (/var/run/docker.sock) — root-equivalent access on the host
• Container secrets / environment variables
• Orbit user credentials
• Audit logs

• Unauthenticated external users
• Authenticated low-privilege users trying to escalate
• Compromised container attempting socket escape

• Rotate JWT secret — expose /api/auth/rotate-secret (admin only)
• HTTPS enforcement — add Caddy or Traefik reverse proxy config
• Secret scanning — add trufflehog to CI pipeline
• Container image pinning — use SHA digests in docker-compose.yml
• Read-only rootfs — add read_only: true to backend compose service

• LDAP/OIDC integration — integrate passport-ldapauth / openid-client
• HMAC webhooks — sign outgoing webhook payloads with X-Orbit-Signature
• CSP headers — strict Content-Security-Policy via helmet.js
• Dependency audit — weekly npm audit in CI
• Session revocation — Redis-backed token blocklist for logout

• Prometheus auth — protect /metrics behind bearer token
• 2FA / TOTP — optional TOTP for admin accounts
• Immutable audit log — forward to external syslog / SIEM

The Docker socket grants root-equivalent access. Mitigations:

1. Network isolation — backend is on an internal Docker network; socket never exposed to frontend or internet
2. Docker socket proxy (recommended for production) — replace direct socket mount with docker-socket-proxy to allow only specific API calls
3. User namespacing — enable Docker user namespace remapping on the host

Example socket proxy integration (Phase 1):

socket-proxy:
  image: tecnativa/docker-socket-proxy
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock
  environment:
    CONTAINERS: 1
    IMAGES: 1
    NETWORKS: 1
    VOLUMES: 1
    POST: 1   # set to 0 for read-only mode
  networks:
    - internal

Before going to production:

# ✅ Check these are set and non-default
ORBIT_SECRET        # Must be >= 32 chars, random
ORBIT_ADMIN_PASSWORD  # Must be changed from default