web/docs/catalog-distribution-policy.md

Catalog Distribution Policy

This policy keeps public web minimal while allowing full commerce inside the launcher app.

Public Web (edut.ai)

1. Public web remains identity and access surface.
2. Public web does not serve production catalog details.
3. Public web does not execute production checkout.
4. Public web may host internal preview routes that are noindex and disabled by default.

Launcher App Surface

1. Launcher app is the canonical catalog and checkout surface.
2. Launcher fetches signed catalog manifests from marketplace APIs.
3. Launcher verifies manifest signature and hash before display.
4. Launcher checkout requires wallet session, ownership binding, and entitlement gating.

Anti-Scraping Posture

1. No public, anonymous catalog endpoint for production offers.
2. Offer manifests require app session and rate limits.
3. Manifest payloads are short-TTL and signed.
4. Checkout endpoints require nonce-bound quotes and ownership-proof rules.

Legal Clarity Rule

1. If first checkout bundles membership activation, quote must show line-item breakdown.
2. Checkout totals must reconcile to line-item amounts deterministically.

Non-Goals

1. Marketing the catalog directly on public website pages.
2. Relying on obscurity as sole protection.
3. Activating runtime rights from unsigned catalog/quote data.