Isolation
Each customer buys a named product instance. Commercial records, access metadata, and lifecycle state do not collapse into a shared tenant view.
Trust boundary
Single-tenant product instances with explicit control surfaces.
BayStore's security posture starts with separation: public marketing, customer dashboard, operator console, API, payment adapters, and runtime mutation stay behind declared boundaries.
Audit trail
Operator actions are recorded with correlation identifiers so commercial and runtime events can be reconciled.
Recovery
Failed, suspended, and deleted states remain explicit. Recovery is an operation, not an overwrite.
Controls
Current security commitments
Isolation and sandbox boundaryEach product instance is single-tenant: commercial records, access metadata, and lifecycle state are scoped to one customer. The current surface operates within a
sandbox_placeholder boundary — checkout, authentication, and runtime mutation are not production-wired. Production controls require a separate configuration and deployment step.| Area | Marketing commitment | Production dependency |
|---|---|---|
| Public site | Self-hosted static assets, no external scripts, no public console link. | CDN, TLS, and cache policy at deployment. |
| Checkout | Static pages do not claim live payment readiness. | Provider-approved Stripe and PayPal production configuration. |
| Authentication | Sign-in and signup are entry pages, not a production identity provider. | Production auth provider, sessions, secrets, and authorization policy. |
| Runtime actions | Operator console remains separate from marketing navigation. | Worker-backed runtime mutation and production cluster operations. |