# Global Settings & Password Management ## Overview Treasury Analytics Core now includes global settings management for centralizing database configuration across multiple projects and tracking password expiration to ensure security best practices. ## Centralized Database Settings ### Benefits of Centralized Settings - **Reduced Duplication**: Define database connection parameters once instead of in each project - **Consistency**: Ensure all projects use the same database configuration - **Security**: Store sensitive configuration in a single, secure location - **Maintainability**: Change database configuration in one place when needed ### Managing Global Settings The global settings are stored in a YAML or JSON file in one of these locations (in order of preference): - `~/.nova_fde/settings.yaml` - `~/.config/nova_fde/settings.yaml` - `~/.nova_fde/settings.json` #### Creating Global Settings Use the `manage_settings.py` script to create global settings: ``` bash python -m nova_fde.scripts.manage_settings --create \ --db-host=your-server.example.com \ --db-port=5432 \ --db-name=your_database ``` #### Viewing Global Settings To see your current global settings: ``` bash python -m nova_fde.scripts.manage_settings --show ``` #### Global Settings Structure The global settings file has this structure: ``` yaml database: db_host: your-server.example.com db_port: 5432 db_name: your_database db_pool_size: 5 db_max_retries: 3 password_meta: last_updated: '2023-07-01T12:00:00' expiry_days: 90 reminder_days: 14 rotation_history: - date: '2023-07-01T12:00:00' by: your_username ``` ### Using Global Settings in Your Code The `EngineFactory` automatically uses global settings when available: ``` python from nova_fde.core.engine_factory import EngineFactory # Create engine with global settings and password expiration check engine = EngineFactory.create_with_auto_auth( project_root="./my_project", check_password_expiry=True ) ``` You can also programmatically access global settings: ``` python from nova_fde.core.engine_factory import GlobalSettings # Load global settings global_settings = GlobalSettings() settings = global_settings.get_settings() # Get database settings db_settings = global_settings.get_db_settings() print(f"Database host: {db_settings.get('db_host')}") ``` ## Password Expiration Tracking Treasury Analytics Core includes features to track database password expiration and remind you when passwords need to be rotated, helping maintain security best practices. ### Password Expiration Policy The default password expiration policy is: - **Expiry Days**: 90 days after the last update - **Reminder Days**: Start warning 14 days before expiration You can customize these settings: ``` bash # Set password to expire after 120 days, with reminders starting 21 days before python -m nova_fde.scripts.manage_settings --expiry=120 --reminder=21 ``` ### Recording Password Updates When you update your database password, record it to start tracking expiration: ``` bash python -m nova_fde.scripts.manage_settings --update-password ``` This will: 1. Record the current date as the last password update 2. Add an entry to the rotation history 3. Reset the expiration timer ### Checking Password Expiration Check the status of your password expiration: ``` bash python -m nova_fde.scripts.manage_settings --check ``` This will display: - When the password was last updated - When the password will expire - How many days remain until expiration - Status: OK, WARNING, or EXPIRED ### Automatic Password Expiration Checks When using the `EngineFactory` with `check_password_expiry=True`, the code automatically checks password expiration when connecting to the database: ``` python engine = EngineFactory.create_with_auto_auth( project_root="./my_project", check_password_expiry=True ) ``` This will: - Display a warning if the password is about to expire - Show an error if the password has already expired - Prompt you to continue or cancel if the password has expired ### Calendar Integration Create a calendar reminder for password rotation: ``` bash python -m nova_fde.scripts.manage_settings --create-reminder ``` This generates an `.ics` calendar file that you can import into: - Outlook - Google Calendar - Apple Calendar - Other calendar applications that support iCalendar format The calendar reminder will: - Remind you 7 days before the password expires - Remind you 1 day before the password expires - Include information about when the password will expire ## Project Integration ### Creating Projects with Global Settings When creating new projects with the project creation tool, they automatically use global settings: ``` bash python -m nova_fde.scripts.create_project my_project ``` You can disable global settings if needed: ``` bash python -m nova_fde.scripts.create_project --no-global-settings my_local_project ``` ### Converting Existing Projects For existing projects, add this line to your `.env` file: NOVA_USE_GLOBAL_SETTINGS=true Then update your code to use `check_password_expiry`: ``` python engine = EngineFactory.create_with_auto_auth( project_root="./my_project", check_password_expiry=True ) ``` ## Best Practices 1. **Record Password Updates**: Always run `--update-password` when you update your database password 2. **Check Regularly**: Run `--check` periodically to monitor password expiration 3. **Use Calendar Reminders**: Generate and import calendar reminders to avoid missing expiration dates 4. **Set Appropriate Policies**: Adjust expiry and reminder days to match your organization’s security policies 5. **Use Global Settings**: Create new projects with global settings to ensure consistency ## Technical Details ### Password Metadata Storage Password metadata is stored in the global settings file alongside database configuration. The metadata includes: - `last_updated`: When the password was last changed (ISO format date) - `expiry_days`: Number of days until password expires - `reminder_days`: Number of days before expiration to start reminders - `rotation_history`: List of password update records with dates and usernames ### Calendar File Format The generated calendar file uses the iCalendar format (RFC 5545) with: - VEVENT component for the main reminder - VALARM components for 7-day and 1-day advance reminders - Standard fields for summary, description, dates, and unique identifiers ### Security Considerations - Global settings files have 0600 permissions (user read/write only) on Unix systems - Password history does not store actual passwords, only update records - The system integrates with secure credential storage (keyring, credential files) for actual passwords