Fixed findings

CLAUDE.md

@@ -22,7 +22,7 @@ This is a Docker-based MQTT server setup using Eclipse Mosquitto broker with a w
 
 ### Authentication & Authorization
 - **Dual authentication model**: Supports both anonymous and authenticated users
-- Anonymous users have limited access to `public/#` and `$SYS/#` topics only (defined in config/acl.conf:6-10)
+- Anonymous users have read-only access to `public/#` and `$SYS/#` topics (defined in config/acl.conf:6-10)
 - Authenticated users require username/password stored in `config/passwords.txt`
 - Six user types defined (config/acl.conf):
   - `admin`/`joachim`: Full access (readwrite #)
@@ -35,6 +35,7 @@ This is a Docker-based MQTT server setup using Eclipse Mosquitto broker with a w
 - `config/mosquitto.conf`: Main broker configuration (listeners, persistence, auth, logging)
 - `config/acl.conf`: Access Control Lists defining per-user topic permissions
 - `config/passwords.txt`: Generated by setup.sh, stores hashed passwords (not in repo)
+- `config/passwords.txt.template`: Tracked placeholder copied to `passwords.txt` on bootstrap
 - `.env`: Environment variables for credentials and settings (not in repo, use .env.example)
 - `mqtt-panel-config.json`: Legacy config file (current setup uses mqttui instead of mqtt-panel)
 
@@ -50,7 +51,7 @@ cp .env.example .env
 chmod +x setup.sh test-mqtt.sh
 
 # Start containers
-docker-compose up -d
+docker compose up -d
 
 # Create MQTT users from .env credentials
 ./setup.sh
@@ -59,34 +60,34 @@ docker-compose up -d
 ### Container Management
 ```bash
 # Start all services
-docker-compose up -d
+docker compose up -d
 
 # View logs
-docker-compose logs -f                    # All services
-docker-compose logs -f mosquitto          # Mosquitto only
-docker-compose logs -f mqttui             # MQTTUI only
+docker compose logs -f                    # All services
+docker compose logs -f mosquitto          # Mosquitto only
+docker compose logs -f mqttui             # MQTTUI only
 
 # Restart services
-docker-compose restart                    # All
-docker-compose restart mosquitto          # Mosquitto only
+docker compose restart                    # All
+docker compose restart mosquitto          # Mosquitto only
 
 # Stop and remove containers
-docker-compose down
+docker compose down
 
 # Stop and remove including volumes
-docker-compose down -v
+docker compose down -v
 ```
 
 ### User Management
 ```bash
 # Add/update user password
-docker exec -it mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt USERNAME PASSWORD
+docker compose exec -T mosquitto mosquitto_passwd -b /mosquitto/config/passwords.txt USERNAME PASSWORD
 
 # Delete user
-docker exec -it mosquitto mosquitto_passwd -D /mosquitto/config/passwords.txt USERNAME
+docker compose exec -T mosquitto mosquitto_passwd -D /mosquitto/config/passwords.txt USERNAME
 
 # After modifying users or ACL, restart Mosquitto
-docker-compose restart mosquitto
+docker compose restart mosquitto
 ```
 
 ### Testing & Debugging
@@ -94,24 +95,21 @@ docker-compose restart mosquitto
 # Run test script (sends sample messages to various topics)
 ./test-mqtt.sh
 
-# Publish to public topic (no auth required)
-docker exec mosquitto mosquitto_pub -h localhost -t "public/test" -m "Hello"
+# Subscribe to public topic (no auth required)
+docker compose exec -T mosquitto mosquitto_sub -h localhost -t "public/#" -v
 
 # Publish with authentication
-docker exec mosquitto mosquitto_pub -h localhost -t "sensors/temperature" -m "22.5" -u admin -P admin123
+docker compose exec -T mosquitto mosquitto_pub -h localhost -t "sensors/temperature" -m "22.5" -u admin -P $MQTT_ADMIN_PASSWORD
 
 # Subscribe to all topics
-docker exec mosquitto mosquitto_sub -h localhost -t '#' -v -u admin -P admin123
-
-# Subscribe to public topics only (no auth)
-docker exec mosquitto mosquitto_sub -h localhost -t 'public/#' -v
+docker compose exec -T mosquitto mosquitto_sub -h localhost -t '#' -v -u admin -P $MQTT_ADMIN_PASSWORD
 
 # Test Mosquitto configuration
-docker exec mosquitto mosquitto -c /mosquitto/config/mosquitto.conf -v
+docker compose exec -T mosquitto mosquitto -c /mosquitto/config/mosquitto.conf -v
 
 # Access container shell
-docker exec -it mosquitto sh
-docker exec -it mqttui sh
+docker compose exec -it mosquitto sh
+docker compose exec -it mqttui sh
 ```
 
 ## Important Notes
@@ -119,7 +117,7 @@ docker exec -it mqttui sh
 ### Security Considerations
 - `.env` file contains all credentials and MUST NOT be committed (already in .gitignore)
 - Default passwords in .env.example must be changed for production
-- Anonymous access is enabled but restricted to `public/#` topics via ACL
+- Anonymous access is enabled but restricted to read-only `public/#` topics via ACL
 - All credentials are loaded from .env by setup.sh (lines setup.sh:8-18)
 - The SECRET_KEY in .env is used by mqttui for session management
 
@@ -128,10 +126,10 @@ docker exec -it mqttui sh
 - Anonymous users get explicit rules defined under `user anonymous`
 - Authenticated users inherit their specific user rules
 - Pattern `#` is wildcard for all topics, `+` for single-level wildcard
-- After ACL changes, always restart mosquitto: `docker-compose restart mosquitto`
+- After ACL changes, always restart mosquitto: `docker compose restart mosquitto`
 
 ### MQTTUI Dashboard
-- The docker-compose.yml uses mqttui (not mqtt-panel as mentioned in README.md)
+- The docker compose.yml uses mqttui (not mqtt-panel as mentioned in README.md)
 - Dashboard connects to broker using credentials from .env: MQTT_PANEL_USERNAME/PASSWORD
 - Database storage enabled (DB_PATH=/app/data/mqtt_messages.db) with cleanup after 30 days
 - Max 10,000 messages retained in database (DB_MAX_MESSAGES)
@@ -140,12 +138,12 @@ docker exec -it mqttui sh
 ### File Permissions
 - Mosquitto runs as UID:GID specified in .env (default 1000:1000)
 - Ensure config/, data/, and log/ directories have correct permissions
-- passwords.txt should be readable by the mosquitto user (chmod 644)
+- config/passwords.txt should be readable by the mosquitto user (chmod 640)
 
 ### Persistence
 - MQTT messages persist in `./data/mosquitto.db`
 - MQTTUI data stored in `./mqttui-data/mqtt_messages.db`
-- To completely reset: `docker-compose down -v` and remove data/log directories
+- To completely reset: `docker compose down -v` and remove data/log directories
 
 ## Endpoints
 
@@ -160,16 +158,16 @@ docker exec -it mqttui sh
 2. Update setup.sh to create the user (lines setup.sh:59-86)
 3. Add ACL rules in config/acl.conf
 4. Run `./setup.sh` to create user
-5. Restart mosquitto: `docker-compose restart mosquitto`
+5. Restart mosquitto: `docker compose restart mosquitto`
 
 ### Debugging ACL Issues
 1. Enable verbose logging in config/mosquitto.conf (add `log_type all`)
-2. Restart mosquitto: `docker-compose restart mosquitto`
-3. Check logs: `docker-compose logs -f mosquitto`
+2. Restart mosquitto: `docker compose restart mosquitto`
+3. Check logs: `docker compose logs -f mosquitto`
 4. Look for "DENIED" messages indicating ACL blocks
 
 ### Client Integration
 - Use MQTT port 1883 for native MQTT clients (Python paho-mqtt, etc.)
 - Use WebSocket port 9001 for browser-based clients
 - Provide username/password from .env for authenticated topics
-- Use anonymous connection only for public/* topics
+- Use anonymous connection only for read-only public/* topics