docs(requirements): update roles-and-acl with clarified decisions

- UOA system roles simplified to owner + admin only
- No cap on custom roles per team/org
- Custom roles are labels only; consuming app owns all gating
- Custom roles are orthogonal to UOA system roles
- Owner non-removable, transferable; admin has full power
- Reduced outstanding decisions to 3 open items

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: rafiki270

Docs/Requirements/roles-and-acl.md

@@ -6,69 +6,70 @@ There are two completely separate concepts that must not be conflated.
 
 ### 1. UOA system roles (internal)
 
-These control who can administer the UOA backend itself. They are fixed and managed only by system admins via the admin panel. End users and developers never see or configure these.
+These control who can administer the UOA backend itself — the org and team structure, billing, membership. There are exactly two UOA system roles:
 
-| Role | Scope | Can do |
+| Role | Scope | Rules |
 |---|---|---|
-| `system_admin` | Global | Full admin panel access, all orgs/teams/domains |
-| `org_owner` | Organisation | Manage their org, teams, members, domains |
-| `org_admin` | Organisation | Manage teams and members, not delete org |
-| `org_member` | Organisation | Read-only on org structure |
-| `team_owner` | Team | Manage team members and domain rules for that team |
-| `team_admin` | Team | Manage team members |
-| `team_member` | Team | Basic membership |
+| `owner` | Org or Team | Created with the org/team. Cannot be removed. Can transfer ownership to any other user. Implicitly has all admin capabilities. |
+| `admin` | Org or Team | Full power: delete teams, manage billing, manage members, manage domains. Multiple admins allowed. Any user can be granted or revoked admin. |
 
-These roles are stored and managed by UOA. They drive access to the UOA admin panel and to management API endpoints (`/internal/...`).
+Users who are neither `owner` nor `admin` have no named UOA system role — they are plain members whose significance is defined entirely by their custom role.
+
+`system_admin` is a separate global role for UOA's own admin panel operators and is not visible to org/team users.
 
 ### 2. Consumer-defined roles (external, custom)
 
-These are the roles that a developer registering a domain/team defines for their own product. UOA does not know or care what they mean — it stores and returns them. The developer decides what `editor`, `viewer`, `staff`, `bartender`, or anything else means inside their own application.
+These are roles that a developer or org defines for their own product. UOA stores only the **label** — a string reference. UOA has no opinion on what the role permits. The consuming application owns all gating logic.
 
-UOA's responsibility:
-- Store the custom role definitions per team
-- Assign custom roles to users per team
-- Return the user's custom roles in the access token and via API
-- Enforce nothing — the consuming app enforces meaning
+- Any number of custom roles per team or organisation — no cap, no gating
+- Custom roles can share names with UOA system roles (different namespaces, no conflict)
+- A user's UOA role and their custom role are completely orthogonal: an `owner` in UOA can be a `viewer` in the app; a plain user in UOA can be a `superadmin` in the app
 
-These are entirely separate from UOA system roles.
+UOA's only responsibilities for custom roles:
+- Store the role definitions per team/org
+- Validate that a role assigned to a user exists in the team/org's defined list
+- Return the role label in the access token and via API
+- Enforce nothing beyond that
 
 ---
 
 ## Hierarchy model
 
 ```
 Organisation
-  ├── has many Domains          (multiple — one org may run hundreds of services)
-  ├── has many Teams
-  │     ├── Team has one or more Domains
-  │     ├── Team has custom Role definitions
-  │     └── Team has Members (with custom roles assigned)
-  └── has system-level role assignments per member
+  ├── has many Domains     (multiple — one org can serve hundreds of services)
+  ├── has UOA role assignments (owner, admin) per member
+  ├── has custom role definitions
+  └── has many Teams
+        ├── references one or more Domains from the org's domain pool
+        ├── has UOA role assignments (owner, admin) per member
+        ├── has custom role definitions (can differ from org-level)
+        └── has Members with assigned custom roles
 ```
 
 ### Auto-organisation rule
 
-Not every user of UOA needs an enterprise org setup. Teams are the primary registration unit for simpler setups.
+Teams are the primary registration unit. Not every setup needs a full enterprise org structure.
 
-**Rule:** When a team is created and no organisation is specified, an organisation is automatically created with the same name/slug and the team placed under it. That org is allowed to contain only one team (the simple/non-enterprise case). If the org later needs to expand to multiple teams, it is promoted to a full enterprise org by adding a second team.
+**Rule:** When a team is created without specifying an organisation, UOA automatically creates an organisation with the same name and slug and places the team under it. That org starts in single-team mode.
 
-This means:
-- Teams are always under an org, but the org can be implicit/auto-created
-- Single-team orgs are the default, lightweight path
-- Multi-team orgs are the enterprise path
+- Single-team org = the default, lightweight path (most small integrations)
+- Multi-team org = enterprise path, unlocked simply by adding a second team
+- Teams are always under an org — the org may just be implicit and auto-created
 
 ### Domain assignment
 
-- Domains live at **organisation level** — an org can have multiple domains (e.g. `api.acme.com`, `app.acme.com`, `admin.acme.com`, `mobile.acme.com`, ...)
-- A **team** references one or more domains from its org's domain pool — this is what gets registered; the team is the entity that "uses" a domain
-- A domain can only belong to one organisation
-- Authentication requests come in on a domain → resolve to the org → resolve to the team registered for that domain → determine user's membership and roles for that team
+- Domains are registered at **organisation level**
+- An org can have any number of domains (`api.acme.com`, `app.acme.com`, `admin.acme.com`, etc.)
+- A domain belongs to exactly one organisation
+- Teams reference domains from their org's pool — the team is what gets registered against a domain
+- Inbound auth request flow: domain → org → team registered for that domain → user's membership and roles for that team
 
 ---
 
 ## Custom role definitions
 
-Each team defines its own set of role names. These are free-form strings stored per team.
+Each team (and optionally org) defines its own role names as a simple list of strings:
 
 ```json
 {
@@ -77,17 +78,13 @@ Each team defines its own set of role names. These are free-form strings stored
 }
 ```
 
-When a user is added to a team, they are assigned one of those custom roles.
-
-UOA validates only:
-- The role name assigned to a user must exist in the team's `customRoles` list
-- Role names must be non-empty strings, no spaces, reasonable length
+No limit on the number of roles. Role names are validated only for being non-empty strings. Format is up to the defining org — UOA imposes no casing or character rules beyond that.
 
-UOA does **not** validate meaning or enforce permissions based on custom roles — that is the consuming app's responsibility.
+What a role *permits* inside the consuming application is entirely that application's concern. UOA returns only the label.
 
-### Token output
+---
 
-The access token issued by UOA includes:
+## Token output
 
 ```json
 {
@@ -97,60 +94,60 @@ The access token issued by UOA includes:
     {
       "id": "org_abc",
       "slug": "acme",
-      "uoaRole": "org_member",
+      "uoaRole": "admin",
+      "customRoles": ["manager"],
       "teams": [
         {
           "id": "team_xyz",
           "name": "Backend",
           "domain": "api.acme.com",
-          "customRole": "editor",
-          "uoaRole": "team_member",
-          "uoaRoleInherited": true
+          "uoaRole": "admin",
+          "uoaRoleInherited": true,
+          "customRoles": ["editor"]
         }
       ]
     }
   ]
 }
 ```
 
-`uoaRole` = UOA system role (internal, for UOA management use)  
-`customRole` = developer-defined role (for the consuming app to use)  
-`uoaRoleInherited` = true if the team-level UOA role was not set explicitly but inherited from the org
+- `uoaRole` — `owner`, `admin`, or omitted if neither. For UOA management use only.
+- `uoaRoleInherited` — true if the team-level UOA role was derived from the org-level role, not set explicitly
+- `customRoles` — array of the consuming app's role labels for that scope. UOA stores and returns them; the app interprets them.
 
----
+Note: `customRoles` is an array because a user may hold multiple custom roles at the same scope (e.g. `["editor", "billing"]`).
 
-## Inheritance rules (UOA system roles only)
+---
 
-Custom roles do not inherit — the consuming app defines its own hierarchy if it wants one.
+## UOA system role inheritance
 
-UOA system role inheritance:
+Inheritance applies only to UOA system roles, not to custom roles.
 
-1. `org_owner` → effective `team_owner` on every team in the org
-2. `org_admin` → effective `team_admin` on every team in the org
-3. `org_member` → effective `team_member` on every team (read access only)
-4. A user with an explicit team role at a higher level than their org role keeps the higher team role
+1. Org `owner` → effective `owner` on every team in the org
+2. Org `admin` → effective `admin` on every team in the org
+3. A user with an explicitly higher team role than their org role keeps the higher team role
+4. Inheritance is computed at request time — not stored as duplicate records
 
-Inheritance is computed at access time, not stored as duplicate records.
+Custom roles do not inherit. If a consuming app wants role inheritance, it implements that in its own gating layer.
 
 ---
 
 ## Email domain auto-enrolment
 
-Orgs (and by extension teams) can define rules: any user who authenticates with a verified email from `@acme.com` is automatically added to the org as `org_member` and to the default team with a specified custom role.
+Orgs can define rules so that any user who authenticates with a verified email from a given domain is automatically granted membership on first login.
 
-Rules are per-org and specify:
+Each rule specifies:
 - Email domain (e.g. `acme.com`)
-- UOA role granted (`org_member` or `org_admin` — never `org_owner`)
-- Custom role granted on the default team (must exist in that team's `customRoles`)
-- Verification method required (`ANY`, `EMAIL`, `GOOGLE`, `GITHUB`)
+- UOA role to grant — `admin` only, or neither (plain member with no UOA role)
+- Custom role(s) to assign on the default team — must exist in the team's defined list
+- Verification method required: `ANY`, `EMAIL`, `GOOGLE`, `GITHUB`
+
+`owner` can never be granted via auto-enrolment — ownership is always explicit.
 
 ---
 
-## Outstanding decisions needed
+## Outstanding decisions
 
-1. **Can a custom role be the same string as a UOA system role?** (e.g. can a developer name a role `admin`?) — recommend: yes, no conflict since they live in different namespaces
-2. **Role name format** — allow any string, or enforce lowercase/alphanumeric/hyphen?
-3. **Max custom roles per team** — suggest: 20
-4. **Who can manage custom role definitions?** — suggest: `team_owner` and `org_owner` only
-5. **Default custom role on auto-enrolment** — must be pre-configured per rule, or fallback to first role in the list?
-6. **SCIM provisioning** — out of scope for now but the custom role model needs to be SCIM-group-compatible for future enterprise IdP sync
+1. **Default custom role on auto-enrolment** — must the rule explicitly name a custom role, or fall back to the first role in the team's list if none specified?
+2. **Multiple custom roles per user per team** — the token uses an array; confirm this is intentional (a user can hold `editor` and `billing` simultaneously at the same team scope)
+3. **SCIM** — confirmed out of scope for now