Security Model
How Helyos secures its control plane out of the box — HTTPS by default, bearer-token auth, a hard cleartext guardrail, and a small set of public probe routes.
API Tokens
How Helyos authenticates REST API access with multi-user bearer tokens, from the first-run auto-generated token to named, revocable, Argon2id-hashed tokens.
TLS & CA Pinning
How Helyos secures the control-plane API with a self-signed certificate and how the CLI pins its CA on login (trust-on-first-use, fail-closed fingerprint, or out-of-band PEM).
Secrets Encryption
How Helyos encrypts secrets at rest with AES-256-GCM, derives a per-node master key, and injects values into containers as environment variables.