Skip to content

Security

Security

Cbox Billing moves money and enforces spend limits, so its security model is deliberate and, where a boundary is not yet fully closed, honest about it. This section covers the app-layer posture, the seams we document plainly, and the reporting process.

In this section

Page What
Posture Deny-by-default, secrets handling, webhook verification, tenant scoping, and the supply-chain gate.
Documented seams The boundaries that are stubbed or best-effort and what that means for you.
Reporting a vulnerability GitHub Private Vulnerability Reporting; the honest best-effort stance.

The app / engine boundary

Much of the billing correctness surface — the append-only idempotent ledger, convergent reconciliation, the three-way enforcement outcome (fail-open on infra, fail-closed on semantics), preview-equals-charge, and the currency-lock and forfeiture invariants — lives in the engine. For those guarantees see the cboxdk/laravel-billing package docs and its decision records. This section covers the application layer: auth, secrets, webhooks, tenant isolation, and the app's own seams.