# Availability and Boundary Model (v1)

This document defines deterministic licensing behavior for paid EDUT operation without per-seat SaaS metering.

## Core Invariant

`One Suite License = One Economic Boundary`

1. A suite license is bound to one `org_root_id`.
2. Unlimited internal workspaces are allowed under that same `org_root_id`.
3. Cross-boundary paid execution is blocked unless the target boundary has its own suite license.

## Identity and Rights Layers

1. Human membership credential (`membership_token`):
   - required for each acting human principal.
2. Org suite entitlement (`suite_entitlement`):
   - bound to `org_root_id`;
   - enables paid execution for workspaces inside that boundary.
3. Human access class (`access_class`):
   - `connected`: lower-cost, heartbeat-based availability;
   - `sovereign`: premium local continuity with long-lived offline capsule.

Membership confirms principal identity. Suite entitlement confirms boundary rights. Access class controls availability mechanics.

## Availability State Machine

Runtime availability is deterministic and applies to paid execution:

1. `ACTIVE`
   - lease/capsule valid;
   - full paid execution allowed.
2. `GRACE`
   - temporary missed renewal window;
   - full execution continues while automatic recovery runs.
3. `CONTINUITY`
   - prolonged renewal miss;
   - existing operations continue, but growth actions are blocked:
     - no new members,
     - no new workspaces,
     - no new tool installs,
     - no new worker spawns.
4. `PARKED`
   - renewal unresolved beyond continuity window;
   - paid execution paused;
   - read/search/export remains available.

## Renewal Sources by Access Class

1. `connected`
   - requires periodic org-root heartbeat lease renewal.
2. `sovereign`
   - uses long-lived local entitlement capsule;
   - renews online or via signed offline transfer workflow.

Both classes converge to the same state machine (`ACTIVE -> GRACE -> CONTINUITY -> PARKED`) when renewal evidence ages out.

## Boundary Enforcement Rules

Every paid action must pass:

1. valid human membership;
2. workspace bound to `org_root_id`;
3. suite entitlement active for that `org_root_id`;
4. access-class availability state not `PARKED`;
5. connector/account boundary ownership compatible with workspace boundary.

If any check fails, system fails closed for paid execution and emits evidence.

## Delegation and Offboarding

1. Delegation can grant role capabilities in a workspace.
2. Delegation does not transfer suite ownership or boundary rights.
3. Offboarding revokes workspace delegation immediately.
4. Revoked principals cannot obtain new paid action tokens for that org boundary.

## Admin Plane Ownership Model

1. `org_root_owner` is the only role with:
   - health diagnostics,
   - update controls,
   - configuration mutation rights,
   - direct support channel access.
2. `workspace_member` role is limited to daily-use product actions.
3. Member attempts to access admin/support endpoints return deterministic guidance:
   - `contact_your_org_admin`.
4. Support systems authenticate org-root ownership before accepting admin-level requests.

This creates natural anti-reseller friction: scaling external seats increases the reseller's support burden without shifting that burden to EDUT.

## UX Contract

1. No surprise data lockout: read/search/export survive `PARKED`.
2. Status must be visible in plain language:
   - current state,
   - what is still allowed,
   - exact recovery action.
3. AI fallback and budget modes are separate from entitlement availability:
   - token-budget fallback may reduce AI features;
   - entitlement availability controls whether paid math execution remains authorized.