Skip to main content

Security Baseline

Security practices for Studio B platform operations.

Credential Management

Railway Environment Variables

All secrets stored as Railway environment variables — never in code repositories.

GitHub Secrets

CI/CD pipelines use GitHub Actions secrets. Key rules:

  • Never write secrets to GITHUB_OUTPUT (loses masking, appears in plain text)
  • Pass secrets as env: vars on individual steps
  • Rotate credentials after any suspected exposure

API Authentication

SystemAuth MethodNotes
AcumaticaSession cookie (.ASPXAUTH)20-min TTL, session gate coordinates
HubSpotPersonal Access Token (PAT)Separate PATs per service recommended
RailwayProject tokenCLI login per session
GitHubPAT or GitHub AppFine-grained tokens preferred
MCP ServersBearer token via query paramMigration to Authorization header planned

Access Controls

Entra ID (Azure AD)

Application permissions (admin-consented, scoped down):

  • User.ReadWrite.All — Employee provisioning
  • Group.ReadWrite.All — Security group management
  • Organization.Read.All — Org info
  • Mail.Read, Mail.Send — Email operations
  • Calendars.Read — Calendar visibility
  • Files.Read.All — OneDrive file access

Acumatica API User

  • Dedicated api-bot user with minimal required roles
  • Session gate limits concurrent sessions to 2
  • Account lockout detection prevents cascading failures

Operational Security

Session Gate Pattern

Redis sorted set coordinates Acumatica API access:

  • Max 2 concurrent sessions (license limit)
  • Slot 3 reserved for MCP server
  • Graceful degradation to local semaphore if Redis unavailable

DRY_RUN Default

All provisioning and destructive operations default to DRY_RUN=true. Must explicitly set to false for live execution.

Health Monitoring

12 probes check infrastructure continuously with Slack alerts on degradation.

Incident Response

  1. Credential exposure: Rotate immediately, check git history, update all consuming services
  2. Account lockout: Wait 15 min or unlock in Acumatica SM201010
  3. Service failure: Check Railway logs, verify Redis connectivity, review session gate state