Add enterprise docs structure and include pending core maintenance updates.

2026-02-20 13:28:29 -05:00
parent b8ed5ec500
commit 52445078a1
23 changed files with 1956 additions and 404 deletions
--- a/docs/security.md
+++ b/docs/security.md
@@ -0,0 +1,34 @@
+# Security
+
+## Scope
+
+CBDD is an embedded data engine. Security controls are shared between the library and the host application that embeds it.
+
+## Authentication And Authorization Model
+
+- CBDD does not provide built-in user authentication.
+- Authorization is enforced by the host process and filesystem permissions.
+- Access to database files must be limited to trusted service identities.
+
+## Data Classification And Handling
+
+- Treat persisted database files as sensitive when they contain customer or regulated data.
+- Do not store secrets in source, fixtures, or benchmark datasets.
+- Apply environment-specific retention and backup controls outside this repository.
+
+## Storage And Cryptography Controls
+
+- CBDD enforces integrity through WAL and transactional semantics.
+- Encryption at rest and key management are host responsibilities.
+- If encryption is required, use filesystem or volume-level encryption managed by platform security controls.
+
+## Secure Coding Expectations
+
+1. Require code review for storage, WAL, indexing, query, and serialization changes.
+2. Add targeted tests for all security-relevant behavior changes.
+3. Run package vulnerability checks in fitness pipeline.
+
+## Incident Handling
+
+- Follow [`runbook.md`](runbook.md) for incident triage and escalation.
+- Label security-impacting issues with `security` and prioritize immediate containment.