# Security

## Scope

CBDD is an embedded data engine. Security controls are shared between the library and the host application that embeds it.

## Authentication And Authorization Model

- CBDD does not provide built-in user authentication.
- Authorization is enforced by the host process and filesystem permissions.
- Access to database files must be limited to trusted service identities.

## Data Classification And Handling

- Treat persisted database files as sensitive when they contain customer or regulated data.
- Do not store secrets in source, fixtures, or benchmark datasets.
- Apply environment-specific retention and backup controls outside this repository.

## Storage And Cryptography Controls

- CBDD enforces integrity through WAL and transactional semantics.
- Encryption at rest and key management are host responsibilities.
- If encryption is required, use filesystem or volume-level encryption managed by platform security controls.

## Secure Coding Expectations

1. Require code review for storage, WAL, indexing, query, and serialization changes.
2. Add targeted tests for all security-relevant behavior changes.
3. Run package vulnerability checks in fitness pipeline.

## Incident Handling

- Follow [`runbook.md`](runbook.md) for incident triage and escalation.
- Label security-impacting issues with `security` and prioritize immediate containment.