# Client-Owned Plaid Setup for BellPathOS v1.4

This is the low-cost rollout model: each client uses their own Plaid developer account and their own private Cloudflare Worker. BellPathOS stores only the Worker URL and non-secret metadata in the browser.

## Why this model

- BellPath does not pay for or host all Plaid traffic yet.
- Each client controls their own Plaid app, API keys, environment, and bank-connector limits.
- Plaid secrets and access tokens stay outside the public BellPathOS website.

## Steps for the client

1. Create a Plaid developer account.
2. Create or open a Plaid app and choose sandbox, development, or production.
3. Create a Cloudflare Worker in the client's own Cloudflare account.
4. Copy `workers/client-owned-plaid-worker.js` into that Worker.
5. Create a KV namespace for server-side Plaid access token storage:

```bash
wrangler kv namespace create PLAID_TOKENS
```

Copy the returned namespace id into `workers/wrangler.client-owned-plaid.example.toml`.

6. Add Worker secrets:

```bash
wrangler secret put PLAID_CLIENT_ID
wrangler secret put PLAID_SECRET
wrangler secret put PLAID_ENV
```

Use `sandbox`, `development`, or `production` for `PLAID_ENV`.

7. Deploy the Worker.
8. Open `plaid-byop.html` in BellPathOS and enter the Worker base URL.
9. Save connector URL.
10. Run `launch-check.html`.

## Security rules

Do not store these in public JavaScript, localStorage, HTML, or sitemap files:

- PLAID_SECRET
- Plaid access_token
- Plaid processor_token
- Bank credentials

Allowed in BellPathOS browser storage:

- Worker base URL
- Plaid environment
- Product selections
- Country codes
- Client ID if the client chooses
- Institution names, masks, and sync status metadata

## Later BellPath-hosted upgrade

When BellPath is ready to host Plaid centrally, switch clients from `client-owned` mode to a BellPath-hosted Worker endpoint and move secrets into BellPath controlled infrastructure.