web/docs/availability-boundary-model.md

Availability and Boundary Model (v1)

This document defines deterministic licensing behavior for paid EDUT operation without per-seat SaaS metering.

Core Invariant

One Suite License = One Economic Boundary

1. A suite license is bound to one org_root_id.
2. Unlimited internal workspaces are allowed under that same org_root_id.
3. Cross-boundary paid execution is blocked unless the target boundary has its own suite license.

Identity and Rights Layers

1. Human membership credential (membership_token):
   • required for each acting human principal.
2. Org suite entitlement (suite_entitlement):
   • bound to org_root_id;
   • enables paid execution for workspaces inside that boundary.
3. Human access class (access_class):
   • connected: lower-cost, heartbeat-based availability;
   • sovereign: premium local continuity with long-lived offline capsule.

Membership confirms principal identity. Suite entitlement confirms boundary rights. Access class controls availability mechanics.

Availability State Machine

Runtime availability is deterministic and applies to paid execution:

1. ACTIVE
   • lease/capsule valid;
   • full paid execution allowed.
2. GRACE
   • temporary missed renewal window;
   • full execution continues while automatic recovery runs.
3. CONTINUITY
   • prolonged renewal miss;
   • existing operations continue, but growth actions are blocked:
     • no new members,
     • no new workspaces,
     • no new tool installs,
     • no new worker spawns.
4. PARKED
   • renewal unresolved beyond continuity window;
   • paid execution paused;
   • read/search/export remains available.

Renewal Sources by Access Class

1. connected
   • requires periodic org-root heartbeat lease renewal.
2. sovereign
   • uses long-lived local entitlement capsule;
   • renews online or via signed offline transfer workflow.

Both classes converge to the same state machine (ACTIVE -> GRACE -> CONTINUITY -> PARKED) when renewal evidence ages out.

Boundary Enforcement Rules

Every paid action must pass:

1. valid human membership;
2. workspace bound to org_root_id;
3. suite entitlement active for that org_root_id;
4. access-class availability state not PARKED;
5. connector/account boundary ownership compatible with workspace boundary.

If any check fails, system fails closed for paid execution and emits evidence.

Delegation and Offboarding

1. Delegation can grant role capabilities in a workspace.
2. Delegation does not transfer suite ownership or boundary rights.
3. Offboarding revokes workspace delegation immediately.
4. Revoked principals cannot obtain new paid action tokens for that org boundary.

Admin Plane Ownership Model

1. org_root_owner is the only role with:
   • health diagnostics,
   • update controls,
   • configuration mutation rights,
   • direct support channel access.
2. workspace_member role is limited to daily-use product actions.
3. Member attempts to access admin/support endpoints return deterministic guidance:
   • contact_your_org_admin.
4. Support systems authenticate org-root ownership before accepting admin-level requests.

This creates natural anti-reseller friction: scaling external seats increases the reseller's support burden without shifting that burden to EDUT.

UX Contract

1. No surprise data lockout: read/search/export survive PARKED.
2. Status must be visible in plain language:
   • current state,
   • what is still allowed,
   • exact recovery action.
3. AI fallback and budget modes are separate from entitlement availability:
   • token-budget fallback may reduce AI features;
   • entitlement availability controls whether paid math execution remains authorized.