🔐 Security hardening: auth, rate limiting, brute force protection

- Add comprehensive security package with:
  - API Key generation and validation (SHA256 hash)
  - Password policy enforcement (min 12 chars, complexity)
  - Rate limiting with presets (auth, api, ingest, export)
  - Brute force protection (5 attempts, 15min lockout)
  - Security headers middleware
  - IP whitelisting
  - Audit logging structure
  - Secure token generation

- Enhanced auth middleware:
  - JWT + API Key dual authentication
  - Token revocation via Redis
  - Scope-based authorization
  - Role-based access control

- Updated installer with:
  - Interactive setup for client customization
  - Auto-generated secure credentials
  - Docker all-in-one image
  - Agent installer script

- Added documentation:
  - SECURITY.md - Complete security guide
  - INSTALL.md - Installation guide
  - .env.example - Configuration reference

deploy/docker/Dockerfile

@@ -0,0 +1,119 @@
+# ═══════════════════════════════════════════════════════════
+# 🐍 OPHION - Dockerfile All-in-One
+# Imagem única com Server + Agent + Dashboard
+# ═══════════════════════════════════════════════════════════
+
+# ─────────────────────────────────────────────────────────────
+# Stage 1: Build Go binaries
+# ─────────────────────────────────────────────────────────────
+FROM golang:1.22-alpine AS go-builder
+
+WORKDIR /build
+
+# Dependências
+RUN apk add --no-cache git ca-certificates
+
+# Go modules
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Código fonte
+COPY cmd/ ./cmd/
+COPY internal/ ./internal/
+
+# Build server
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags="-s -w" -o ophion-server ./cmd/server
+
+# Build agent
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 \
+    go build -ldflags="-s -w" -o ophion-agent ./cmd/agent
+
+# ─────────────────────────────────────────────────────────────
+# Stage 2: Build Dashboard (Next.js)
+# ─────────────────────────────────────────────────────────────
+FROM node:20-alpine AS web-builder
+
+WORKDIR /build
+
+# Dependências
+COPY dashboard/package*.json ./
+RUN npm ci --only=production
+
+# Código fonte
+COPY dashboard/ ./
+
+# Build
+ENV NEXT_TELEMETRY_DISABLED=1
+RUN npm run build
+
+# ─────────────────────────────────────────────────────────────
+# Stage 3: Runtime Image
+# ─────────────────────────────────────────────────────────────
+FROM alpine:3.19
+
+LABEL org.opencontainers.image.title="OPHION"
+LABEL org.opencontainers.image.description="Open Source Observability Platform"
+LABEL org.opencontainers.image.source="https://github.com/bigtux/ophion"
+LABEL org.opencontainers.image.vendor="OPHION"
+LABEL org.opencontainers.image.licenses="AGPL-3.0"
+
+# Dependências runtime
+RUN apk add --no-cache \
+    ca-certificates \
+    tzdata \
+    nodejs \
+    npm \
+    supervisor \
+    curl \
+    bash
+
+# Criar usuário não-root
+RUN addgroup -g 1000 ophion && \
+    adduser -u 1000 -G ophion -s /bin/sh -D ophion
+
+WORKDIR /app
+
+# Copiar binários Go
+COPY --from=go-builder /build/ophion-server /app/bin/
+COPY --from=go-builder /build/ophion-agent /app/bin/
+
+# Copiar Dashboard
+COPY --from=web-builder /build/.next /app/web/.next
+COPY --from=web-builder /build/public /app/web/public
+COPY --from=web-builder /build/package*.json /app/web/
+COPY --from=web-builder /build/node_modules /app/web/node_modules
+
+# Configs
+COPY configs/ /app/configs/
+COPY web/ /app/static/
+
+# Supervisor config
+RUN mkdir -p /etc/supervisor.d
+COPY deploy/docker/supervisord.conf /etc/supervisor.d/ophion.ini
+
+# Diretórios
+RUN mkdir -p /app/data /app/logs && \
+    chown -R ophion:ophion /app
+
+# Script de entrada
+COPY deploy/docker/entrypoint.sh /app/
+RUN chmod +x /app/entrypoint.sh
+
+# Portas
+EXPOSE 8080 3000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+    CMD curl -f http://localhost:8080/health || exit 1
+
+# Variáveis de ambiente padrão
+ENV TZ=America/Sao_Paulo \
+    LOG_LEVEL=info \
+    SERVER_PORT=8080 \
+    DASHBOARD_PORT=3000
+
+USER ophion
+
+ENTRYPOINT ["/app/entrypoint.sh"]
+CMD ["all"]

deploy/docker/entrypoint.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+# ═══════════════════════════════════════════════════════════
+# 🐍 OPHION - Entrypoint
+# ═══════════════════════════════════════════════════════════
+
+set -e
+
+MODE=${1:-all}
+
+echo "🐍 OPHION starting in mode: $MODE"
+
+case "$MODE" in
+    server)
+        echo "Starting API server on port ${SERVER_PORT:-8080}..."
+        exec /app/bin/ophion-server
+        ;;
+    agent)
+        echo "Starting agent..."
+        exec /app/bin/ophion-agent -config /app/configs/agent.yaml
+        ;;
+    web)
+        echo "Starting dashboard on port ${DASHBOARD_PORT:-3000}..."
+        cd /app/web
+        exec npm start
+        ;;
+    all)
+        echo "Starting all services with supervisor..."
+        exec supervisord -c /etc/supervisord.conf
+        ;;
+    *)
+        echo "Unknown mode: $MODE"
+        echo "Usage: entrypoint.sh [server|agent|web|all]"
+        exit 1
+        ;;
+esac

deploy/docker/supervisord.conf

@@ -0,0 +1,26 @@
+[supervisord]
+nodaemon=true
+logfile=/app/logs/supervisord.log
+pidfile=/tmp/supervisord.pid
+user=ophion
+
+[program:ophion-server]
+command=/app/bin/ophion-server
+directory=/app
+autostart=true
+autorestart=true
+stdout_logfile=/app/logs/server.log
+stderr_logfile=/app/logs/server.error.log
+environment=PORT="%(ENV_SERVER_PORT)s"
+
+[program:ophion-web]
+command=npm start
+directory=/app/web
+autostart=true
+autorestart=true
+stdout_logfile=/app/logs/web.log
+stderr_logfile=/app/logs/web.error.log
+environment=PORT="%(ENV_DASHBOARD_PORT)s"
+
+[group:ophion]
+programs=ophion-server,ophion-web