Documented seams
Documented seams
Cbox Billing is honest about where a boundary is a contract the app defines rather than a fully-verified integration against a live third party. These seams are not hidden — naming them plainly is part of the security posture. Where a seam involves real money or a statutory filing, treat crossing it as your integration and verification responsibility.
This is distinct from the app's internal host seams (app/Billing/Seams/*), which are
the engine ports the app binds to durable implementations — those are wired and
tested. The seams below are external integration boundaries.
Authenticated ERP / accounting push
The cbox-billing-connectors plugin exports billing documents (invoices, payments,
credit-notes) to an accounting/ERP system over HTTP/JSON or NDJSON, with an idempotent
per-document sync ledger. The app defines the export contract and the authenticated
push (a signed HTTP endpoint via BILLING_CONNECTOR_HTTP_ENDPOINT +
BILLING_CONNECTOR_HTTP_SECRET), but the specific ERP's authentication, schema,
and acceptance are the deployment's to wire and verify. The app does not claim a
certified, out-of-the-box integration with any particular ERP.
Live marketplace payouts
The cbox-billing-marketplace plugin covers marketplace billing concerns. Live
payout execution — actually moving money to sellers through a payment provider — is
a seam: the app models the marketplace shape, but executing real payouts against a
live provider account is a deployment integration you must configure and verify.
Statutory tax-filing submission
The cbox-billing-tax-plus plugin prepares filings on the open laravel-tax
engine — HMRC MTD 9-box VAT and EU OSS per-member-state payloads — and provides a
console to review and mark them filed. Actual statutory submission to a tax
authority (e.g. the live HMRC MTD API) is a documented seam: the app produces and
lets you review the payload; connecting to and submitting through the authority's live
endpoint, and the legal responsibility for the filing, are yours.
Live payment-gateway verification
The Stripe and Mollie adapters bind the app's PaysInvoices / WebhookVerifier
contracts, and the app verifies signatures and ingests settlement exactly-once. What
the app does not do for you is prove your specific live gateway account is wired
end-to-end: you must run the configure-and-verify recipe
against your account — confirm the gateway binds, a real webhook verifies, and a
settlement marks its invoice paid — before trusting production money flow.
What is NOT a seam
To be equally clear about what is solid:
- The ledger, event log, reconciliation, currency lock, and wallet are durable and engine-backed — the money source of truth, not a stub.
- Enforcement (reserve/commit, the three-way outcome) is real and wired.
- Webhook signature verification and exactly-once ingest are real.
- Per-org tenant scoping and API token auth are enforced on every request.
- On-prem license signing/verification uses real Ed25519 crypto
(
cboxdk/license).