CBDD/docs/security.md

Security

Scope

CBDD is an embedded data engine. Security controls are shared between the library and the host application that embeds it.

Authentication And Authorization Model

• CBDD does not provide built-in user authentication.
• Authorization is enforced by the host process and filesystem permissions.
• Access to database files must be limited to trusted service identities.

Data Classification And Handling

• Treat persisted database files as sensitive when they contain customer or regulated data.
• Do not store secrets in source, fixtures, or benchmark datasets.
• Apply environment-specific retention and backup controls outside this repository.

Storage And Cryptography Controls

• CBDD enforces integrity through WAL and transactional semantics.
• Encryption at rest and key management are host responsibilities.
• If encryption is required, use filesystem or volume-level encryption managed by platform security controls.

Secure Coding Expectations

1. Require code review for storage, WAL, indexing, query, and serialization changes.
2. Add targeted tests for all security-relevant behavior changes.
3. Run package vulnerability checks in fitness pipeline.

Incident Handling

• Follow runbook.md for incident triage and escalation.
• Label security-impacting issues with security and prioritize immediate containment.