Beta
Project security model
Security depends on explicit authority, fail-closed capabilities, protected signing material, hostile-input assumptions, and private disclosure.
Trust boundaries
- The backend that owns an order is authoritative for its state and protected transitions.
- The client is untrusted input and a presentation layer; hiding a control never replaces server authorization.
- Payment rails, RPCs, indexers, plugins, webhooks, media, and delivery systems are external dependencies with their own failure and threat models.
- Extensions receive minimum typed projections and scoped handles, not general database or Core access.
- Sensitive actions remain auditable without placing secrets or unnecessary personal data in logs.
Release and supply chain
The current release is a pre-release candidate. Final artifacts require vulnerability scanning, dependency and license review, SBOM generation, checksums, provenance, reproducibility evidence, secret scans, and platform-specific validation.
Security reporting
Use the affected repository's GitHub private vulnerability reporting. Do not publish exploit details, leaked credentials, signing-key concerns, or customer data in issues, chat, or documentation feedback.