Chore: move SSO docs to security section (#4896)

Author: treysp

docs/cloud/features/scheduler/airflow.md

@@ -52,7 +52,7 @@ $ pip install tobiko-cloud-scheduler-facade[airflow]
 
 ### Connect Airflow to Tobiko Cloud
 
-First, provision an OAuth Client for Airflow to use by following the guide on how to [provision client credentials](../single_sign_on.md#provisioning-client-credentials).
+First, provision an OAuth Client for Airflow to use by following the guide on how to [provision client credentials](../security/single_sign_on.md#provisioning-client-credentials).
 
 After provisioning the credentials, you can obtain the `Client ID` and `Client Secret` values for Airflow to use to connect to Tobiko Cloud.
 

docs/cloud/features/scheduler/dagster.md

@@ -57,7 +57,7 @@ Dagster recommends [injecting secret values using Environment Variables](https:/
 
 On this page, we demonstrate the secrets method Dagster recommends for **local development**.
 
-First, provision an OAuth Client for Dagster to use by following the guide on how to [provision client credentials](../single_sign_on.md#provisioning-client-credentials).
+First, provision an OAuth Client for Dagster to use by following the guide on how to [provision client credentials](../security/single_sign_on.md#provisioning-client-credentials).
 
 After provisioning the credentials, you can obtain the `Client ID` and `Client Secret` values for Dagster to use to connect to Tobiko Cloud.
 
@@ -374,8 +374,8 @@ customer_revenue_by_day = AssetKey(["postgres", "sushi", "customer_revenue_by_da
 | Option                     | Description                                                                                                                                                                            | Type | Required |
 |----------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|:----:|:--------:|
 | `url`                      | The Base URL to your Tobiko Cloud instance                                                                                                                                             | str  | Y        |
-| `oauth_client_id`          | OAuth Client ID of the credentials you [provisioned](../single_sign_on.md#provisioning-client-credentials) for Dagster                                                                 | str  | N        |
-| `oauth_client_secret`      | OAuth Client Secret of the credentials you [provisioned](../single_sign_on.md#provisioning-client-credentials) for Dagster                                                             | str  | N        |
+| `oauth_client_id`          | OAuth Client ID of the credentials you [provisioned](../security/single_sign_on.md#provisioning-client-credentials) for Dagster                                                                 | str  | N        |
+| `oauth_client_secret`      | OAuth Client Secret of the credentials you [provisioned](../security/single_sign_on.md#provisioning-client-credentials) for Dagster                                                             | str  | N        |
 | `dagster_graphql_host`     | Hostname of the Dagster Webserver GraphQL endpoint                                                                                                                                     | str  | N        |
 | `dagster_graphql_port`     | Port of the Dagster Webserver GraphQL endpoint                                                                                                                                         | int  | N        |
 | `dagster_graphql_kwargs`   | Extra args to pass to the [DagsterGraphQLClient](https://docs.dagster.io/api/python-api/libraries/dagster-graphql#dagster_graphql.DagsterGraphQLClient) class when it is instantiated  | dict | N        |

docs/cloud/features/scheduler/hybrid_executors_docker_compose.md

@@ -19,7 +19,7 @@ Both executors must be properly configured with environment variables to connect
 
 - Access to a [data warehouse supported by Tobiko Cloud](../../../integrations/overview.md#execution-engines) (e.g., Postgres, Snowflake, BigQuery)
 - Docker and Docker Compose
-- A Tobiko Cloud account with [client ID and client secret](../single_sign_on.md#provisioning-client-credentials)
+- A Tobiko Cloud account with [client ID and client secret](../security/single_sign_on.md#provisioning-client-credentials)
 
 ## Quick start guide
 

docs/cloud/features/scheduler/hybrid_executors_helm.md

@@ -17,7 +17,7 @@ Both executors must be properly configured with environment variables to connect
 
 - Access to a [data warehouse supported by Tobiko Cloud](../../../integrations/overview.md#execution-engines) (e.g., Postgres, Snowflake, BigQuery)
 - Helm 3.8+
-- A Tobiko Cloud account with [client ID and client secret](../single_sign_on.md#provisioning-client-credentials)
+- A Tobiko Cloud account with [client ID and client secret](../security/single_sign_on.md#provisioning-client-credentials)
 
 ## Quick start guide
 
@@ -267,7 +267,7 @@ run:
 
 ## Defining Custom Environment Variables
 
-If there are additional environment variables that are required to run your project, you will want to define them for both the apply and run executors. 
+If there are additional environment variables that are required to run your project, you will want to define them for both the apply and run executors.
 
 ```yaml
 apply:

docs/cloud/features/scheduler/hybrid_executors_overview.md

@@ -57,7 +57,7 @@ One important type of environment variable is the `TCLOUD` variables used for co
 
 The first required `TCLOUD` variable is a unique Tobiko Cloud URL for your project, which your Solutions Architect will provide after your project is created.
 
-You also need the Client ID and Client Secret variables, which are generated when you [create an OAuth Client](../single_sign_on.md#provisioning-client-credentials) in the Tobiko Cloud UI.
+You also need the Client ID and Client Secret variables, which are generated when you [create an OAuth Client](../security/single_sign_on.md#provisioning-client-credentials) in the Tobiko Cloud UI.
 
 Specify the URL, Client ID, and Client Secret in these environment variables:
 

docs/cloud/features/security/security.md

@@ -1,15 +1,15 @@
 # Security Overview
 
 
-At Tobiko, we treat security as a first-class citizen because we know how valuable your data assets are. Our team follows and executes security best practices across each layer of our product. 
+At Tobiko, we treat security as a first-class citizen because we know how valuable your data assets are. Our team follows and executes security best practices across each layer of our product.
 
 ## Tobiko Cloud Standard Deployment
 
-Our standard Tobiko Cloud deployment consists of several components that are each responsible for different parts of the product. 
+Our standard Tobiko Cloud deployment consists of several components that are each responsible for different parts of the product.
 
-Below is a diagram of the components along with their descriptions. 
+Below is a diagram of the components along with their descriptions.
 
-![tobiko_cloud_standard_deployment](./tcloud_standard_deployment.png){ width=80% height=60% style="display: block; margin: 0 auto" }
+![tobiko_cloud_standard_deployment](./security/tcloud_standard_deployment.png){ width=80% height=60% style="display: block; margin: 0 auto" }
 
 - **Scheduler**: Orchestrates schedule cadence and hosts state metadata (code versions, logs, cost)
 - **Executor**: Applies code changes and runs SQL queries (actual data processing in SQL Engine) and Python models in proper DAG order.
@@ -18,29 +18,29 @@ Below is a diagram of the components along with their descriptions.
 
 ## Tobiko Cloud Hybrid Deployment
 
-For some customers, our hybrid deployment option is a great fit. It provides a seamless experience with Tobiko Cloud but within your own VPC and infrastructure.  
+For some customers, our hybrid deployment option is a great fit. It provides a seamless experience with Tobiko Cloud but within your own VPC and infrastructure.
 
-In a hybrid deployment, Tobiko Cloud does not execute tasks directly with the engine. Instead, it passes tasks to the executors hosted in your environment, which then execute the tasks with the engine. 
+In a hybrid deployment, Tobiko Cloud does not execute tasks directly with the engine. Instead, it passes tasks to the executors hosted in your environment, which then execute the tasks with the engine.
 
 Executors are Docker containers that connect to both Tobiko Cloud and your SQL engine. They pull work tasks from the Tobiko Cloud scheduler and execute them with your SQL engine. This is a pull-only mechanism authenticated through an OAuth Client ID/Secret. Whitelist IPs in your network to allow reaching Tobiko Cloud IPs from the executor: 34.28.17.91, 34.136.27.153, 34.136.131.20
 
-Below is a diagram of the components along with their description. 
+Below is a diagram of the components along with their description.
 
-![tobiko_cloud_hybrid_deployment](./tcloud_hybrid_deployment.png){ width=80% height=60% style="display: block; margin: 0 auto" }
+![tobiko_cloud_hybrid_deployment](./security/tcloud_hybrid_deployment.png){ width=80% height=60% style="display: block; margin: 0 auto" }
 
 - **Scheduler**: Orchestrates schedule cadence and hosts state metadata (code versions, logs, cost). **Never pushes** instructions to executor.
 - **Executor**: Appplies code changes and runs SQL queries and Python models in proper DAG order (actual data processing in SQL Engine)
 - **Gateway**: Stores authentication credentials for SQL Engine. Secured through your secrets manager or Kubernetes Secrets.
 - **SQL Engine**: Processes and stores data based on the above instructions
-- **Executor -> Scheduler**: A pull-only mechanism for obtaining work tasks. 
+- **Executor -> Scheduler**: A pull-only mechanism for obtaining work tasks.
 - **Helm Chart**: For production environements, we provide a [Helm chart](../scheduler/hybrid_executors_helm.md) that includes robust configurability, secret management, and scaling options.
 - **Docker Compose**: For simpler environments or testing, we offer a [Docker Compose setup](../scheduler/hybrid_executors_docker_compose.md) to quickly deploy executors on any machine with Docker.
 
 
 
 ## Internal Code Practices
 
-We enforce coding standards throughout Tobiko to write, maintain, and collaborate on code effectively. These practice ensure consistency, maintainability, reliability, and most importantly, trust. 
+We enforce coding standards throughout Tobiko to write, maintain, and collaborate on code effectively. These practice ensure consistency, maintainability, reliability, and most importantly, trust.
 
 A few key components of our internal code requirements:
 
@@ -49,19 +49,19 @@ A few key components of our internal code requirements:
 - We sign commits and register the key with GitHub ([Github Docs](https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits)).
 - Binaries are signed using cosign and OIDC for keyless ([Signing docs](https://docs.sigstore.dev/cosign/signing/overview/)).
 - Attestations are created to certify an image, enforced with GCP Binary Authorization ([Attestation docs](https://cloud.google.com/binary-authorization/docs/key-concepts#attestations)).
-- Encryption is a key feature of our security posture and is enforced at each stage of access. For example, the state database automatically encrypts all data. Credentials are also securely encrypted and stored. 
+- Encryption is a key feature of our security posture and is enforced at each stage of access. For example, the state database automatically encrypts all data. Credentials are also securely encrypted and stored.
 - We back up each state database nightly and before upgrades. These backups are stored for 14 days.
 
 ## Penetration Testing
 
 At least once a year, Tobiko engages a third-party security firm to perform a penetration test. This test evaluates our systems by identifying and attempting to exploit known vulnerabilities, focusing on critical external and/or internal assets. A detailed report is available upon request.
- 
 
-## Asset and Access Management 
+
+## Asset and Access Management
 
 ### How do we protect PGP keys?
 
-If an employee loses their laptop, we don't need to get the old PGP key back because we can invalidate the key directly. 
+If an employee loses their laptop, we don't need to get the old PGP key back because we can invalidate the key directly.
 
 We use GitHub to sign code commits. At the time the code was committed, the PGP key was valid. When an employee loses their laptop, we will invalidate it, and they will regenerate a new key to use in future commits. The old commits are still valid because the PGP key was valid at the time the commit was made.
 
@@ -77,4 +77,3 @@ We would revoke access for the GitHub user account associated with the compromis
 - We follow a formal IT asset disposal procedure to prevent key compromise through improper hardware disposal.
 - See above for PGP key protection.
 - Binaries are signed using Cosign and OIDC for keyless signing.
-