Credential Store & Kali

flowchart LR
    %% Actor
    User[User]

    %% Core Services
    N8N[n8n Workflow Engine]
    PG[(PostgreSQL<br>Encrypted Credentials)]
    Vault[Credential Vault API<br>Fernet + HTTPS]
    Kali[Kali Linux Executor<br>Docker Container]

    %% Runtime Storage
    TmpFS[/tmp tmpfs<br>RAM only storage/]
    CredDir[/tmp/pentest_id/credentials<br>RAM only/]

    %% Auth
    APIKey[X-Api-Key<br>User scoped]

    %% Main Flow
    User -->|1. Create pentest with credentials| N8N
    N8N -->|pentest_id returned| User

    N8N -->|2. Store credentials<br>Fernet encrypted| PG

    N8N -->|3. Request credentials<br>HTTPS + X-Api-Key| Vault
    APIKey --> Vault
    Vault -->|Decrypt credentials<br>User access enforced| N8N
    Vault -->|Encrypted at rest| PG

    N8N -->|4. Ensure Linux user<br>Generate SSH key if missing| Kali

    Kali -->|5. Create isolated folder| TmpFS
    TmpFS -->|/tmp/pentest_id<br>uid gid restricted| CredDir

    N8N -->|6. Write credentials<br>RAM only never on disk| CredDir

    N8N -->|7. Execute commands<br>SSH user scoped| Kali

    %% Security Properties
    subgraph Security_Guarantees
        S1[Per pentest Linux user]
        S2[SSH execution per user<br>No privilege escalation]
        S3[tmpfs and dev shm<br>No persistent storage]
        S4[Credential access limited<br>by X-Api-Key ownership]
    end

    Kali --- S1
    Kali --- S2
    CredDir --- S3
    Vault --- S4