# Provisioning Module

The provisioning module orchestrates first-login auto-provisioning. When a user authenticates via OIDC for the first time, `AutoProvision` creates all governance and resource structures within a single database transaction:

1. **User** — identity record linked to the OIDC subject
2. **Person** — profile record (display name, email)
3. **Organization** — personal org (`org_type = 'personal'`)
4. **OrgMember** — membership with the `owner` system role
5. **Workspace** — default workspace within the org
6. **Role Assignment** — org-scoped role assignment for the owner
7. **Resource Pool** — default pool (`pool_type = 'default'`, `is_auto_managed = true`)
8. **Pool Assignment** — primary link between workspace and pool (`is_primary = true`)

If any step fails, the entire transaction rolls back — no partial structures exist.