BellPath Phase 1B Cross-Domain Security Policy

Domain roles
- bellpathbydsb.com = public storefront, SEO, pricing, trust, checkout, docs.
- bellpathbydsb.click = BellPath OS, app launch, license activation, customer portal, owner command center.

Security risk summary
Moving from .com to .click is safe when it is only a normal HTTPS link. The risk appears when secrets, auth tokens, license keys, or private data are passed through URLs or stored in browser-visible code.

Rules
1. Never pass API keys, Stripe secrets, Supabase service-role keys, AI keys, or admin tokens in URLs.
2. Never put secret keys in HTML, client-side JS, localStorage, or public Netlify environment variables.
3. If a purchase needs activation, pass only a short-lived activation code generated server-side.
4. Do not use URL query strings for permanent license keys.
5. Customer-facing builds must not include owner dashboards, revenue data, admin override tools, or debug panels.
6. Owner-unlocked builds may include internal tools but should stay private and noindex.
7. Use HTTPS-only links between .com and .click.
8. If shared login is added later, use server-side sessions or a trusted auth provider with correct cookie domain, SameSite, Secure, and CSRF protections.
9. Keep .com indexable. Keep private .click owner pages noindex unless intentionally public.
10. Use Netlify Functions or Supabase Edge Functions for license validation, AI calls, and Stripe verification.