docs(mkdocs/security): add Security index, OAuth/OIDC, and Network Hardening with HIPAA posture notes

Author: Faxbot Agent

mkdocs/docs/security/index.md

@@ -0,0 +1,34 @@
+---
+title: Security
+---
+
+# Security
+
+Secure defaults for keys, webhooks, storage, and Admin access.
+
+## Keys
+
+- Use API Keys with scopes; rotate regularly
+- Prefer OAuth/OIDC for Admin login where available
+
+## Webhooks
+
+- Enforce HMAC where supported (Phaxio, HumbleFax)
+- Use Basic auth for providers without signing (Sinch inbound)
+- Always use HTTPS
+
+## Storage
+
+- Tokenized, short‑TTL links for PDFs
+- S3/compatible storage supported; avoid public buckets
+
+## HIPAA
+
+- Execute BAA with cloud providers
+- Disable provider document retention
+- Avoid quick tunnels; use private tunnels and a permanent HTTPS domain
+
+See also
+- [HIPAA Requirements](/HIPAA_REQUIREMENTS/)
+- [Networking & Tunnels](/networking/tunnels/)
+

mkdocs/docs/security/network.md

@@ -0,0 +1,19 @@
+---
+title: Network Hardening
+---
+
+# Network Hardening
+
+Lock down your deployment for production and PHI.
+
+## Checklist
+
+- [ ] Expose only HTTPS API port (8080)
+- [ ] Keep SIP/UDPTL private (self‑hosted)
+- [ ] Rate limit and WAF at edge
+- [ ] Disable Admin Terminal over public ingress
+- [ ] Use WireGuard/Tailscale for remote Admin access
+
+See also
+- [Networking & Tunnels](/networking/tunnels/)
+

mkdocs/docs/security/oauth-setup.md

@@ -0,0 +1,23 @@
+---
+title: OAuth / OIDC Setup
+---
+
+# OAuth / OIDC Setup
+
+Protect the Admin Console with your identity provider.
+
+## Steps
+
+1) Create an OAuth/OIDC app in your IdP (Auth0/Okta/etc.)
+2) Configure Redirect URI to your Admin domain
+3) Enter client id/secret in Admin → Settings → Security
+4) Test login from a private window
+
+???+ tip "Scopes and claims"
+    Map Admin roles from IdP claims if available. Keep Admin access limited to operators.
+
+## Troubleshooting
+
+- Invalid redirect → verify exact URI and HTTPS
+- Forbidden → check user group/role mapping
+