[SECURITY] Migrate MQTT to authenticated HiveMQ Cloud with TLS

🔒 MQTT Security Migration

Parent: #1

Current State

Using public HiveMQ broker (broker.hivemq.com:1883)
No authentication, no encryption
Anyone can subscribe to farcom/enviro and read sensor data

Goal

Migrate to HiveMQ Cloud (free tier: 100 connections)
Enable TLS/SSL (port 8883)
Add username/password authentication
Store credentials securely via .env file (not in git)

Tasks

Create HiveMQ Cloud account (ref: HiveEmail / HivePw)
Generate cluster credentials
Update Pi script: add TLS context (ssl.create_default_context())
Update Pi script: add username/password to MQTT connect
Update dashboard: switch WebSocket endpoint to wss:// with auth
Test end-to-end encrypted flow
Update docs/CREDENTIALS.md with new reference keys
Remove public broker fallback

Pi Script Changes

# Current (insecure)
client.connect("broker.hivemq.com", 1883, 60)

# Target (secure)
import ssl
context = ssl.create_default_context()
client.username_pw_set(os.environ["MQTT_USER"], os.environ["MQTT_PASS"])
client.tls_set_context(context)
client.connect(os.environ["MQTT_HOST"], 8883, 60)

Risk

Dashboard must be updated simultaneously (breaking change)
Public broker data will stop flowing immediately

Ref: #1 Roadmap — Security & Infrastructure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SECURITY] Migrate MQTT to authenticated HiveMQ Cloud with TLS #2

🔒 MQTT Security Migration

Current State

Goal

Tasks

Pi Script Changes

Risk

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Search code, repositories, users, issues, pull requests...

[SECURITY] Migrate MQTT to authenticated HiveMQ Cloud with TLS #2

Description

🔒 MQTT Security Migration

Current State

Goal

Tasks

Pi Script Changes

Risk

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions