44 lines
1.4 KiB
Markdown
44 lines
1.4 KiB
Markdown
# Wallet Ownership and Payment Model
|
|
|
|
This model separates ownership rights from payment source for deterministic entitlement control.
|
|
|
|
## Roles
|
|
|
|
1. Ownership wallet
|
|
- Holds membership and license entitlements.
|
|
- Determines activation rights for governance and modules.
|
|
- Used for runtime entitlement checks.
|
|
|
|
2. Payment wallet
|
|
- Pays membership/license quote transactions.
|
|
- May differ from ownership wallet.
|
|
- Does not automatically gain activation rights.
|
|
|
|
## Required Rule
|
|
|
|
Entitlements are minted to `ownership_wallet` only.
|
|
|
|
For workspace-bound paid rights, entitlement claims must also bind to `org_root_id`.
|
|
|
|
## Authorization Rule
|
|
|
|
When payment wallet differs from ownership wallet, backend requires ownership-wallet authorization proof for quote/confirm binding.
|
|
|
|
## Activation Rule
|
|
|
|
Runtime activation checks ownership wallet entitlement state only.
|
|
|
|
For workspace-bound execution, runtime also checks boundary claim compatibility (`workspace.org_root_id` == `entitlement.org_root_id`).
|
|
|
|
## Why
|
|
|
|
1. Supports simple user funding options.
|
|
2. Keeps entitlement ownership deterministic and auditable.
|
|
3. Prevents accidental activation tied to transient funding wallets.
|
|
4. Prevents cross-boundary reuse of a single entitlement across unrelated organizations.
|
|
|
|
## Non-Goals
|
|
|
|
1. Treating payment wallet as ownership wallet by default.
|
|
2. Activating runtime from payment evidence without ownership entitlement binding.
|