Secure — overview
Who can sign in (local or OIDC), what they can do (roles + permissions with allow/deny grammar), and what's encrypted at rest. The two layers of Liberty's security model.
Sign-in — local and OIDC
Pick the identity backend (TOML or DB), configure local users, optionally enable OIDC against any compliant provider (Keycloak, Azure AD, Auth0, Okta…). What the user sees at sign-in.
Roles and permissions
Compose roles with the PermissionPicker — baseline (No access / Full access) plus allow / deny rules per surface. The full grammar, the resolution order, the standard recipes.
Users
The Settings → Access → Users tab — add local users, manage OIDC users that landed at first sign-in, assign roles, toggle is_active and is_superuser, reset passwords.
Encrypted secrets
The 🔒 toggle that encrypts secret fields at rest — what gets encrypted, how AES-256-GCM is wired, where the master key lives, the ENC: prefix, and the rotation story.
License key
What the license gates (the bundled vendor products — Nomasx-1, Nomajde, NomaUBL …), where to set it (app.toml or LIBERTY_LICENSE_KEY env var), and what happens when it's missing or expired.