101 lines
3.6 KiB
Markdown
101 lines
3.6 KiB
Markdown
# Availability and Boundary Model (v1)
|
|
|
|
This document defines deterministic licensing behavior for paid EDUT operation without per-seat SaaS metering.
|
|
|
|
## Core Invariant
|
|
|
|
`One Suite License = One Economic Boundary`
|
|
|
|
1. A suite license is bound to one `org_root_id`.
|
|
2. Unlimited internal workspaces are allowed under that same `org_root_id`.
|
|
3. Cross-boundary paid execution is blocked unless the target boundary has its own suite license.
|
|
|
|
## Identity and Rights Layers
|
|
|
|
1. Human membership credential (`membership_token`):
|
|
- required for each acting human principal.
|
|
2. Org suite entitlement (`suite_entitlement`):
|
|
- bound to `org_root_id`;
|
|
- enables paid execution for workspaces inside that boundary.
|
|
3. Human access class (`access_class`):
|
|
- `connected`: lower-cost, heartbeat-based availability;
|
|
- `sovereign`: premium local continuity with long-lived offline capsule.
|
|
|
|
Membership confirms principal identity. Suite entitlement confirms boundary rights. Access class controls availability mechanics.
|
|
|
|
## Availability State Machine
|
|
|
|
Runtime availability is deterministic and applies to paid execution:
|
|
|
|
1. `ACTIVE`
|
|
- lease/capsule valid;
|
|
- full paid execution allowed.
|
|
2. `GRACE`
|
|
- temporary missed renewal window;
|
|
- full execution continues while automatic recovery runs.
|
|
3. `CONTINUITY`
|
|
- prolonged renewal miss;
|
|
- existing operations continue, but growth actions are blocked:
|
|
- no new members,
|
|
- no new workspaces,
|
|
- no new tool installs,
|
|
- no new worker spawns.
|
|
4. `PARKED`
|
|
- renewal unresolved beyond continuity window;
|
|
- paid execution paused;
|
|
- read/search/export remains available.
|
|
|
|
## Renewal Sources by Access Class
|
|
|
|
1. `connected`
|
|
- requires periodic org-root heartbeat lease renewal.
|
|
2. `sovereign`
|
|
- uses long-lived local entitlement capsule;
|
|
- renews online or via signed offline transfer workflow.
|
|
|
|
Both classes converge to the same state machine (`ACTIVE -> GRACE -> CONTINUITY -> PARKED`) when renewal evidence ages out.
|
|
|
|
## Boundary Enforcement Rules
|
|
|
|
Every paid action must pass:
|
|
|
|
1. valid human membership;
|
|
2. workspace bound to `org_root_id`;
|
|
3. suite entitlement active for that `org_root_id`;
|
|
4. access-class availability state not `PARKED`;
|
|
5. connector/account boundary ownership compatible with workspace boundary.
|
|
|
|
If any check fails, system fails closed for paid execution and emits evidence.
|
|
|
|
## Delegation and Offboarding
|
|
|
|
1. Delegation can grant role capabilities in a workspace.
|
|
2. Delegation does not transfer suite ownership or boundary rights.
|
|
3. Offboarding revokes workspace delegation immediately.
|
|
4. Revoked principals cannot obtain new paid action tokens for that org boundary.
|
|
|
|
## Admin Plane Ownership Model
|
|
|
|
1. `org_root_owner` is the only role with:
|
|
- health diagnostics,
|
|
- update controls,
|
|
- configuration mutation rights,
|
|
- direct support channel access.
|
|
2. `workspace_member` role is limited to daily-use product actions.
|
|
3. Member attempts to access admin/support endpoints return deterministic guidance:
|
|
- `contact_your_org_admin`.
|
|
4. Support systems authenticate org-root ownership before accepting admin-level requests.
|
|
|
|
This creates natural anti-reseller friction: scaling external seats increases the reseller's support burden without shifting that burden to EDUT.
|
|
|
|
## UX Contract
|
|
|
|
1. No surprise data lockout: read/search/export survive `PARKED`.
|
|
2. Status must be visible in plain language:
|
|
- current state,
|
|
- what is still allowed,
|
|
- exact recovery action.
|
|
3. AI fallback and budget modes are separate from entitlement availability:
|
|
- token-budget fallback may reduce AI features;
|
|
- entitlement availability controls whether paid math execution remains authorized.
|