Domain Model and Roles

Tenancy Boundary

Workspace is the top-level tenant boundary. Core entities inherit workspace scoping and must be accessed through membership-aware authorization checks.

• Workspace, WorkspaceMembership, and WorkspaceMembershipRole.
• Roles are composable: one membership can hold multiple role keys.
• Capabilities are derived from roles and enforced per endpoint operation.

Role Matrix Reference

The role-to-capability summary matrix is maintained in docs/domain/role-capability-matrix.md.

Core Domain Entities

• Portfolio: PortfolioProperty, Unit
• Leasing: Tenant, Lease
• Operations: MaintenanceRequest, WorkOrder
• Finance: Payment
• Files: Document

Cross-Cutting Operational Models

• APITokenSession for access and refresh token lifecycle.
• IdempotencyKey for mutation replay safety.
• AuditLog for sensitive operation trails.
• IntegrationConnection, IntegrationOutboxEvent, WebhookEvent, ExternalObjectMapping.

Permission Principle

Authorization is explicit and capability-driven. Workspace membership alone is not sufficient; read/write capability checks must pass for each resource and action.