Docs/project/security
Beta

Project security model

Security depends on explicit authority, fail-closed capabilities, protected signing material, hostile-input assumptions, and private disclosure.

Trust boundaries

  • The backend that owns an order is authoritative for its state and protected transitions.
  • The client is untrusted input and a presentation layer; hiding a control never replaces server authorization.
  • Payment rails, RPCs, indexers, plugins, webhooks, media, and delivery systems are external dependencies with their own failure and threat models.
  • Extensions receive minimum typed projections and scoped handles, not general database or Core access.
  • Sensitive actions remain auditable without placing secrets or unnecessary personal data in logs.

Release and supply chain

The current release is a pre-release candidate. Final artifacts require vulnerability scanning, dependency and license review, SBOM generation, checksums, provenance, reproducibility evidence, secret scans, and platform-specific validation.

Security reporting

Use the affected repository's GitHub private vulnerability reporting. Do not publish exploit details, leaked credentials, signing-key concerns, or customer data in issues, chat, or documentation feedback.