Trust boundaries

Security boundaries

Every sensitive decision has a server-side owner. PUPMKT treats the browser as a public interface—not a source of authority. Identity, permissions, inventory, money movement, store actions, and digital ownership are verified by partner systems before a protected action can proceed.

Fail-closed designLeast-privilege rolesAcceptance evidence required

Non-negotiable rules

Trust comes from boundaries people can verify.

These are product requirements for a partner implementation. A provider connection is not approved until its owner, controls, operating procedure, and failure behavior are tested.

Data

Minimum necessary access

The customer sees only a safe public or account-owned view. Tenant and account checks run on every protected request; logs and exports follow an approved retention policy.

Actions

Authorization on the server

A hidden button is not a security control. The gateway verifies identity, role, ownership, current record version, and business rules before every change.

Failures

Stop safely, explain clearly

Timeouts, invalid responses, expired sessions, duplicate events, and unavailable providers leave records and funds in a known state with a recovery path.

Authentication and access

Customers and employees use separate trust paths.

Customer identity supports marketplace accounts. Employee identity protects store, support, finance, moderation, and administration work. A customer session can never become an employee session.

Customer path

Approved sign-in, protected session

  1. Start with the partner identity provider.

    Sign-in, recovery, consent, and account lifecycle remain under partner policy.

  2. Create a short-lived server session.

    The browser receives a secure, HttpOnly cookie rather than provider credentials.

  3. Recheck sensitive actions.

    Account changes, higher-risk selling, and money actions can require recent or stronger authentication.

Employee path

Workforce SSO, scoped roles

  1. Enter through workforce SSO.

    The identity provider applies employee policy and multi-factor authentication.

  2. Map approved groups to narrow roles.

    Store staff, support, finance, and administrators receive only the actions their job requires.

  3. Remove access from one source.

    Joiner, mover, and leaver changes flow from the workforce directory. LDAP, if used, stays behind the identity service.

Payments and payouts

The browser never decides an amount or handles bank details.

Payment and payout systems remain separate because charging a buyer and paying a seller carry different ownership, risk, compliance, and reconciliation duties.

Buyer payment

Hosted checkout, server-calculated total

The server builds checkout from current listing, tax, fee, shipping, discount, and eligibility records. A signed provider event—not a browser redirect—confirms the result.

  • Idempotent checkout creation
  • Duplicate and out-of-order webhook protection
  • Decline, refund, dispute, and reconciliation paths
Seller payout

Hosted onboarding, recorded release rules

The payout provider collects identity and bank details. PUPMKT records only the safe status needed to apply holds, reserves, release timing, reversals, and support decisions.

  • No bank details in the PUPMKT browser
  • Explicit balance and hold ledger
  • Failed-payout and negative-balance handling

Store-assisted validation

A participating store can become a recorded handoff point.

A store program is optional and location-specific. PUPMKT does not imply that any retailer participates. A partner must approve the locations, services, staff roles, equipment, training, insurance, and incident owner.

  1. Reserve an approved service and location

    The capability registry confirms that the location, category, service, and appointment window are currently available.

  2. Authenticate the employee and intake

    Workforce SSO verifies the staff member. A reservation and item identifier prevent an unrelated intake from being attached.

  3. Capture the agreed evidence

    Staff follow a category checklist for images, identifiers, condition, included parts, and exceptions. The record identifies who captured what and when.

  4. Apply a tamper-evident security label

    A unique label links the physical package to the custody record. Seal changes, replacements, or exceptions require a recorded reason and authorized role.

  5. Release, ship, or hold through policy

    Pickup identity, carrier acceptance, custody events, and exception rules decide the next action. Staff cannot bypass a hold through the public interface.

What a security label means: it links a package to recorded evidence and helps reveal custody changes. A label alone does not prove authenticity, ownership, condition, or value. Those claims require the approved checklist and accountable reviewer.

Digital items

Permission comes before a listing.

PUPMKT is not designed to create artificial scarcity or bypass a game's terms. A digital marketplace exists only for items a publisher or platform explicitly allows users to transfer.

Program registry

Explicitly approved programs only

Each publisher, game, region, item class, fee, restriction, and support owner belongs to an allowlist with a version and effective date.

Authority

Official ownership and eligibility

The publisher or platform service confirms the seller owns the item, the item can move, and both accounts meet current rules.

Completion

Official transfer and reconciliation

Funds and order status follow an official transfer result. Expiry, failure, reversal, and account mismatch stop safely and enter an owned support path.

Security operations

Controls need proof after launch.

The implementation owner must be able to detect, explain, contain, recover, and learn from failures without exposing private details to customers.

Observe

Correlated, redacted events

Request IDs connect safe public errors to restricted logs, metrics, and traces. Sensitive values are redacted before storage.

Respond

Named alert and incident owners

Service objectives, alert routes, severity rules, communication ownership, and provider escalation are approved before a live pilot.

Recover

Tested restore and rollback

Backups, deployment rollback, provider disable switches, reconciliation, and customer recovery are rehearsed—not assumed.

Turn these boundaries into launch evidence.

The 30-day plan assigns owners, connects services in dependency order, runs acceptance checks, and preserves a rollback at every phase.

Review the launch plan