# Data Model — Spec 080 Workspace-Managed Tenant Administration Migration

This feature is primarily a **routing + panel registration** change. No new entities are required, but the plan relies on these existing domain objects and their relationships.

## Entities

### Workspace
- Represents the portfolio/customer context.
- Key fields (typical): `id`, `name`, `slug` or `uuid`, `archived_at`, timestamps.

### WorkspaceMembership
- Joins a `User` to a `Workspace` with a role.
- Key fields: `id`, `workspace_id`, `user_id`, `role`, timestamps.
- Rules:
  - Workspace membership is an isolation boundary for `/admin/*` management.

### Tenant (Managed Tenant)
- Workspace-owned representation of an Entra/Intune tenant.
- Key fields (from usage in the codebase):
  - `id`
  - `workspace_id`
  - `external_id` (canonical route identifier; Entra tenant GUID)
  - `tenant_id` (Entra tenant ID / GUID — may be same domain meaning depending on model)
  - `name`, `domain`, `environment`
  - `metadata` (JSON)
  - `archived_at` (if supported)
  - timestamps
- Notes:
  - `{tenant}` route parameter refers to `Tenant.external_id` in both `/admin/tenants/{tenant}` and `/admin/t/{tenant}`.

### TenantMembership
- Joins a `User` to a `Tenant` with a tenant role.
- Key fields: `id`, `tenant_id`, `user_id`, `role`, timestamps.
- Rules:
  - Tenant membership is an isolation boundary for `/admin/t/{tenant}/*`.
  - Guardrails: cannot remove/demote the last Owner (existing rule in constitution and code).

### ProviderConnection
- Stores provider integration configuration for a managed tenant.
- Key fields (from resource usage):
  - `id`, `workspace_id`, `tenant_id`
  - `provider`
  - `display_name`
  - `entra_tenant_id`
  - `is_default`
  - `status`, `health_status`
  - timestamps
- Notes:
  - Treated as workspace-managed configuration, but scoped to a specific managed tenant via FK.

### AuditLog
- Append-only record of security/management events.
- Required attributes (per spec): `workspace_id`, `tenant_id`, `actor_id`, `action_id`, redacted metadata, timestamp.

### OperationRun
- Existing observability record for long-running operations.
- This migration itself should not introduce new runs; management page renders must be DB-only.

## Relationships (high level)

- Workspace 1—* WorkspaceMembership
- Workspace 1—* Tenant
- Tenant 1—* TenantMembership
- Tenant 1—* ProviderConnection
- Workspace 1—* ProviderConnection
- Workspace/Tenant 1—* AuditLog

## State & Transitions

- This feature does not add new domain state transitions.
- Any existing onboarding/activation state changes remain workspace-managed in UI (per spec) and must continue to be audited.