Add CLI reset-password command documentation

[renehonig]

Add CLI reset-password command documentation

Summary

This PR adds documentation for the new reset-password CLI command that was implemented to address security concerns from issue #588.

Changes

Modified Files

• chirpstack-docs/src/chirpstack/use/cli-commands.md - Added comprehensive documentation for the reset-password command including:
  • Command usage and options
  • Multiple input methods (interactive, file, stdin)
  • Security considerations
  • Password requirements (NIST 800-63b compliant)

Documentation Preview

reset-password

Reset a user's password without API access. This command is useful for:

• Initial setup of fresh installations
• Automated deployment scripts
• Recovery from forgotten passwords

Usage:

chirpstack --config /etc/chirpstack reset-password --email <EMAIL> [OPTIONS]

Options:

Option	Description
-e, --email <EMAIL>	User email address (required)
-p, --password-file <FILE>	Path to file containing new password
--stdin	Read password from stdin

Examples:

# Interactive password reset
chirpstack --config /etc/chirpstack reset-password -e [email protected]

# Password from file
chirpstack --config /etc/chirpstack reset-password -e [email protected] -p /tmp/pw.txt

# Password from stdin (recommended for scripts)
echo "SecurePassword123" | chirpstack --config /etc/chirpstack reset-password -e [email protected] --stdin

Security Notes

• Uses PBKDF2-SHA512 with 1 iteration (same as existing authentication)
• NIST 800-63b compliant password validation (8-128 characters)
• Maximum 128 character length to prevent DoS attacks
• Interactive prompts mask password input
• Password files should have chmod 600 permissions

Testing

The documentation was validated by:

• Verifying all example commands are syntactically correct
• Confirming security considerations match implementation
• Ensuring password requirements align with the rpassword crate validation

[Copilot]

Pull request overview

This PR introduces dedicated documentation for the new chirpstack reset-password CLI command and wires it into the docs navigation and changelog so users can discover and use it for secure password management.

Changes:

• Added chirpstack/use/cli-commands.md documenting CLI usage, with a focus on the new reset-password command and its security implications.
• Updated the ChirpStack changelog with a v4.17.0 entry describing the new CLI feature and linking to the CLI documentation.
• Linked the new CLI commands page from the main SUMMARY.md navigation under “Use”.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
src/chirpstack/use/cli-commands.md	New CLI commands overview, including detailed reset-password usage, options, examples, and security considerations.
src/chirpstack/changelog.md	Adds v4.17.0 “CLI reset-password command” feature entry and points readers to the CLI commands doc.
src/SUMMARY.md	Adds the “CLI commands” page to the “Use” section so the new documentation is discoverable.

Additional suggestion (non-blocking): If the chirpstack --help output has been updated to include reset-password, import-device-profiles, and migrate-device-profile-templates, consider updating the CLI snippet in src/chirpstack/configuration.md in a follow-up so the inline help example stays in sync with the actual binary.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In this example you both (a) hardcode the password directly in the command line and (b) describe stdin as "recommended for scripts", but in the "Password handling" table below stdin is classified as "Low" security and you warn about shell history. Hardcoding the password in the echo command will almost always end up in shell history and can also be exposed via process inspection, which conflicts with the security guidance you give later. Consider aligning the recommendation with the table (e.g., recommend the file-based flow for most scripted usage and treat stdin as an advanced option), and update the stdin example to avoid embedding the cleartext password directly in the command line.