Configuration & Security Hardening

[askdba]

• Enforce config file permissions: The README warns that the config file should only be readable by the mysql OS user, but enforcement is not mentioned. Consider adding runtime checks (ownership/permissions) during plugin init or load to avoid accidental credential exposure.

• Document supported configuration options more explicitly: The README lists the config file keys, but a dedicated section with defaults, validation rules, and examples (including TLS/SSL, if applicable) would reduce misconfiguration risk.

[askdba]

Triage: please clarify scope (configs, secrets, hardening steps) and whether this is a roadmap item vs actionable tasks. Happy to break into sub-issues once scope is defined.