Security Boundaries

For agents: Keep control-plane credentials outside app code. Platform account membership authorizes CLI/API operations; app-user auth uses host-bound runtime cookies and reserved platform routes.

Planes

• api.userland.fun is the control plane for API keys, account memberships, apps, releases, secrets, events, rollback, and app-user invites.
• console.userland.fun is the browser console. It serves the React shell and the same canonical /v0/* API paths with a host-only platform session cookie.
• userland.fun is the product home page.
• *.apps.userland.fun is the app runtime plane.
• docs.userland.fun is public documentation.

Platform account roles manage account-owned apps. App-user roles declared in manifest.userland.json manage users inside one published app and do not create platform account members.

Browser console sessions are separate from both API keys and app-user sessions. Console login sets __Host-ul_platform on console.userland.fun, never stores ap_live_... values in browser storage, and requires CSRF tokens for session-authenticated mutations. App-user auth stays on app origins with __Host-ul_session and /_userland/auth/*; those cookies and routes do not authenticate the console.

Runtime dispatch strips platform headers, ordinary cookies, internal headers, and control-plane credentials before app server code runs.

Public legal and policy placeholders are linked from the product site footer: Terms, Privacy, and Acceptable Use. They are draft pages pending legal review; security behavior in this document remains the implementation reference until final policy language is approved.