web/docs/wallet-ownership-payment-model.md

Wallet Ownership and Payment Model

This model separates ownership rights from payment source for deterministic entitlement control.

Roles

1. Ownership wallet

• Holds membership and license entitlements.
• Determines activation rights for governance and modules.
• Used for runtime entitlement checks.

2. Payment wallet

• Pays membership/license quote transactions.
• May differ from ownership wallet.
• Does not automatically gain activation rights.

Required Rule

Entitlements are minted to ownership_wallet only.

For workspace-bound paid rights, entitlement claims must also bind to org_root_id.

Authorization Rule

When payment wallet differs from ownership wallet, backend requires ownership-wallet authorization proof for quote/confirm binding.

Activation Rule

Runtime activation checks ownership wallet entitlement state only.

For workspace-bound execution, runtime also checks boundary claim compatibility (workspace.org_root_id == entitlement.org_root_id).

Why

1. Supports simple user funding options.
2. Keeps entitlement ownership deterministic and auditable.
3. Prevents accidental activation tied to transient funding wallets.
4. Prevents cross-boundary reuse of a single entitlement across unrelated organizations.

Non-Goals

1. Treating payment wallet as ownership wallet by default.
2. Activating runtime from payment evidence without ownership entitlement binding.