A control plane only works if trust boundaries stay explicit.

Identity belongs to the portal layer. OAuth providers and session lifecycle are exposed to the browser via `www.handybot.help`, while mutations terminate on `api.handybot.help/v1/auth/*`.

The portal should store secret references or masked values. Raw API keys and provider secrets must stay server-side and be resolved during publish or runtime.

Stripe remains the system of record for subscriptions, invoices, and payment methods. Portal DB keeps only customer IDs, subscription state, and credit ledger mappings.

Portal metadata is centralized, while each tenant business database remains isolated. Runtime resolves tenant identity before connecting to the correct tenant DB.