doc: reviewed security model

following coments in https://www.reddit.com/r/rust/comments/18f0ai3/i_wrote_a_secret_environment_manager_in_rust_id/

docs/src/security.md

@@ -1,39 +1,44 @@
 # Novops Security Model
 
 - [Overview](#overview)
-- [In-memory temporary secrets](#in-memory-temporary-secrets)
-  - [Wait... Novops may create files but does not write to disk? 🤔](#wait-novops-may-create-files-but-does-not-write-to-disk-)
-  - [With XDG_RUNTIME_DIR](#with-xdg_runtime_dir)
-  - [Without XDG_RUNTIME_DIR](#without-xdg_runtime_dir)
+- [Novops security added value](#novops-security-added-value)
+- [Temporary secrets and secure directories](#temporary-secrets-and-secure-directories)
+    - [With XDG\_RUNTIME\_DIR](#with-xdg_runtime_dir)
+    - [Without XDG\_RUNTIME\_DIR](#without-xdg_runtime_dir)
+- [Limitations](#limitations)
+  - [How can I make my setup more secure?](#how-can-i-make-my-setup-more-secure)
 - [External libraries and CVEs](#external-libraries-and-cves)
 
 ## Overview
 
-Novops load secrets safely. In short:
-- Secrets are loaded directly in-memory so they are kept only for as long as they are needed
-- Novops does not persist any secret. `.novops.yml` config file does not contain any secret and can be safely versionned with Git or version control tool.
+Novops does its best to load secrets securely, but some points must be considered. In short:
+- Novops ensures secrets can't be read by another user and won't be persisted by storing them directly in-memory or under secure temporary directories.
+- Novops itself does not persist any secret. `.novops.yml` config file does not contain any secret and can be safely versionned with Git or version control tool.
 - Libraries used are carefully chosen and regularly updated.
 
-## In-memory temporary secrets
+## Novops security added value
 
-Novops load secrets in-memory, mainly as environment variables but also as files. By sourcing them into your current shell session or using `novops run` to run a sub-process with variables, you ensure variables will only persist for as long as they're needed and no other process or user can access them.
+Secrets are often mishandled during local development and using CI: stored permanently under git-ignored directories, `$HOME/...` sub-folders, spread across CI servers config... 
 
-### Wait... Novops may create files but does not write to disk? 🤔
+Such manual secret management is risky even done with best practice in mind. Using Secret Managers like [Hashicorp Vault](https://www.vaultproject.io/) or [Cloud](https://www.google.com/search?client=firefox-b-d&q=cloud+secret+managers) [secret](https://aws.amazon.com/secrets-manager/) [managers](https://azure.microsoft.com/en-us/products/key-vault/), Novops help handling secrets more securely during local development and on CI. 
 
-Novops may generate files in some situations - but they're written to a [`tmpfs` file system](https://www.kernel.org/doc/html/latest/filesystems/tmpfs.html) (in-memory file system), not on hard drive disk ! Furthermore, Novops uses a secure directory only user running Novops can access (`XDG_RUNTIME_DIR` or secure directory in `/tmp`, see below).
+## Temporary secrets and secure directories
 
-Novops may generate files when:
-- Using `novops load -s SYMLINK` creates an exportable `dotenv` file in s secure directory
-- Using the [`files`](config/files-variables.md) module
+Novops generate secrets as environment variables and files to be used by sub-processes. Secret files are written to a [`tmpfs` file system](https://www.kernel.org/doc/html/latest/filesystems/tmpfs.html) (in-memory file system) under a protected directory only the user running Novops (or `root`) can access (`XDG_RUNTIME_DIR` by default or a protected directory in `/tmp`).
 
 In short:
-- If `XDG_RUNTIME_DIR` variable exists, Novops will save files in this secure directory
+- If `XDG_RUNTIME_DIR` exists, Novops will save files in this secure directory
 - Otherwise files are saved under a user-specific `/tmp` directory
-- Alternatively you can specify `novops load -w PATH` to point to a custom secure directory
+- Alternatively you can specify `novops load -w PATH` to point to a custom secure directory, though you're responsible to ensure usage of secure directory (only your user can read/write and should not be persisted on disk)
 
-_Note: using environment variables is still safer than files, so prefer environment variables if you can !_
+Files potentially generated by Novops:
+- `novops load -s SYMLINK` creates an exportable `dotenv` file in protected directory
+- The [`files`](config/files-variables.md) module generate files in protected directory by default
+- Environment variables for processes are stored under `/proc/${pid}/environ`
 
-### With XDG_RUNTIME_DIR
+This offers a better protection than keeping secrets directly on-disk or manually managing them.
+
+#### With XDG_RUNTIME_DIR
 
 If `XDG_RUNTIME_DIR` variable is set, secrets are stored as files under a subdirectory of `XDG_RUNTIME_DIR`. In short, this directory is:
 - Owned and read/writable only by current user
@@ -47,15 +52,34 @@ To read more about XDG Runtime Dir, see:
 - [Official XDG specifications](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html)
 - [This stack exchange post](https://askubuntu.com/questions/872792/what-is-xdg-runtime-dir)
 
-### Without XDG_RUNTIME_DIR
+#### Without XDG_RUNTIME_DIR
 
-If `XDG_RUNTIME_DIR` is not available, Novops will issue a warning and try to emulate a XDG-lke behavior under a `/tmp` sub-folder. There's not guarantee it will fully implement [XDG specs](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html), but directory is created such as:
+If `XDG_RUNTIME_DIR` is not available, Novops will issue a warning and try to emulate a XDG-like behavior under a `/tmp` sub-folder. There's no guarantee it will fully implement [XDG specs](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html), but directory is created such as:
 
 - Owned and read/writable only by current user
 - By using a `/tmp` sub-folder, we reasonably assume content won't persist between reboot and logout
 
 See `prepare_working_directory()` in [`src/lib.rs`](https://github.com/PierreBeucher/novops/blob/main/src/lib.rs)
 
+This may be less secure. Novops will issue a warning in such situation, and you're advised to use a system with `XDG_RUNTIME_DIR` available.
+
+## Limitations
+
+Novops does its best to provide a more secure way of handling secrets, though it's not 100% bullet-proof:
+
+- Using `tmpfs` should use in-memory file system - but secrets may be swapped to disk. Writing to disk may present a security risk.
+- Environment variables and files can be read by another process running as the same user running Novops. 
+- A `root` or equivalent user may be able to access secrets, even if they are in memory or in secure folders.
+
+These are OS limitations, Novops alone can't solve them. Even [Hashicorp Vault](https://developer.hashicorp.com/vault/tutorials/operations/production-hardening), which can be seen as a very good security tools, has similar limitations.
+
+### How can I make my setup more secure?
+
+- Disable swap. This will prevent secrets from being written to disk. (this will eventually be mitigated by [#75](https://github.com/PierreBeucher/novops/issues/75))
+- Disable core dumps. A root user may be able to force core dumps and retrieve secrets from memory.
+
+Overall, Novops is just an added security layer in your security scheme and is limited by surrounding environment and underlying usage. You should always [follow security best practices](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html) for secret management. 
+
 ## External libraries and CVEs
 
 Novops uses open source libraries and update them regularly to latest version to get security patches and CVE fixes.