# Data Model — Spec 083

This feature is primarily **read-only UX + authorization hardening**. No new tables are required.

## Existing entities (relevant)

### Workspace
- **Purpose**: Isolation boundary for tenant management surfaces.
- **Key fields**: `id`.

### WorkspaceMembership
- **Purpose**: Establishes user membership in a workspace.
- **Key fields**: `workspace_id`, `user_id`, `role`.

### Tenant
- **Purpose**: Managed Entra tenant (scoped to a workspace).
- **Key fields**: `id`, `external_id` (Entra tenant GUID), `workspace_id`, `status`, `name`.

### TenantMembership
- **Purpose**: Tenant entitlement (read-only access at minimum).
- **Key fields**: `tenant_id`, `user_id`, `role`, `source`, `source_ref`.

### TenantPermission
- **Purpose**: Stored permission inventory used by Required Permissions page.
- **Key fields**: `tenant_id`, `permission_key`, `status` (`granted|missing|error`), `details` (JSON), `last_checked_at`.

## Derived / computed values

### "Last refreshed"
- **Definition**: `max(tenant_permissions.last_checked_at)` for the tenant.
- **Stale rule** (Spec 083): stale if missing OR older than 30 days.

### Summary overall status
Derived from stored permission rows (and freshness):
- **Blocked**: any missing `application` permission.
- **Needs attention**: any warning exists (missing delegated OR error rows folded into warning OR stale freshness).
- **Ready**: no blockers, no warnings.

## State transitions
- None introduced here (page remains read-only). Mutations happen on other surfaces (verification start, provider connection management) and must enforce capability checks there.