member-console/internal/entitlements/doc.go

// Package entitlements owns runtime entitlement state for resource pools:
// grants, materialized provisions, ladder attachments, and the audit trail
// of position changes.
//
// # Sole-writer rule
//
// Transition (transitions.go) is the only writer of pool_provision_ladders
// and pool_provision_transitions. Every code path that changes a pool's
// ladder position — operator UI, Stripe subscription webhook, trial-expiry
// workflow, auto-provisioning hook on org creation — funnels through it.
// Direct writes to those two tables from outside this primitive are bugs.
//
// Call sites:
//
//   - internal/server/operator_enrollment.go         — operator force-transition, trial grant, revoke
//   - internal/server/operator_partials.go           — general grants tab (delegates for plan-tier products)
//   - internal/server/operator_org_types.go          — backfill default product on existing orgs
//   - internal/workflows/stripe/webhook_subscription — customer.subscription.created/.deleted/.updated
//   - internal/workflows/entitlements/...            — trial grant_expiration_workflow → Transition(End)
//   - internal/provisioning/provisioning.go          — ladder attachment on org creation
//
// Plan membership is opt-in at the catalog layer (billing.plan_ladder_tiers).
// Products that don't appear in a ladder tier never reach Transition and
// keep flat grant/revoke semantics. The runtime invariants below apply only
// once a product opts into a ladder.
//
// # Companion primitives
//
//   - ReapplyDefaultsForPool (reapply_defaults.go) — invoked by Transition on
//     downgrade/end to re-apply the org's configured default product.
//   - CreateGrantAndMaterialize, RevokeGrantAndRematerialize (grants.go) —
//     low-level grant lifecycle for non-plan products only. Plan-tier grants
//     must route through Transition.
//
// See docs/plan-architecture.md for the full architecture and
// docs/grant-plan-safety.md for the historical incident log.
package entitlements