[SECURITY] Migrate MQTT to authenticated HiveMQ Cloud with TLS

[farcomiot]

🔒 MQTT Security Migration

Parent: #1

Current State

• Using public HiveMQ broker (broker.hivemq.com:1883)
• No authentication, no encryption
• Anyone can subscribe to farcom/enviro and read sensor data

Goal

• Migrate to HiveMQ Cloud (free tier: 100 connections)
• Enable TLS/SSL (port 8883)
• Add username/password authentication
• Store credentials securely via .env file (not in git)

Tasks

• Create HiveMQ Cloud account (ref: HiveEmail / HivePw)
• Generate cluster credentials
• Update Pi script: add TLS context (ssl.create_default_context())
• Update Pi script: add username/password to MQTT connect
• Update dashboard: switch WebSocket endpoint to wss:// with auth
• Test end-to-end encrypted flow
• Update docs/CREDENTIALS.md with new reference keys
• Remove public broker fallback

Pi Script Changes

# Current (insecure)
client.connect("broker.hivemq.com", 1883, 60)

# Target (secure)
import ssl
context = ssl.create_default_context()
client.username_pw_set(os.environ["MQTT_USER"], os.environ["MQTT_PASS"])
client.tls_set_context(context)
client.connect(os.environ["MQTT_HOST"], 8883, 60)

Risk

• Dashboard must be updated simultaneously (breaking change)
• Public broker data will stop flowing immediately

---

Ref: #1 Roadmap — Security & Infrastructure