# Accounts App

Workspace and user membership management for Dexxy.

## Purpose

This app handles multi-tenant workspace isolation and role-based access control. Every piece of data in Dexxy is scoped to a workspace, and this app defines the ownership and permission boundaries.

## Models

### Workspace

Container for an organization or team.

| Field | Type | Description |
|-------|------|-------------|
| `name` | CharField | Display name |
| `slug` | SlugField | URL-safe identifier (unique) |

### WorkspaceMembership

Links users to workspaces with role-based permissions.

| Field | Type | Description |
|-------|------|-------------|
| `workspace` | ForeignKey | The workspace |
| `user` | ForeignKey | Django auth user |
| `role` | CharField | Permission level |

**Roles:**
- `owner` - Full control, can delete workspace
- `admin` - Can manage settings, integrations, rules
- `member` - Standard access
- `viewer` - Read-only access

## GraphQL API

### Queries

- `workspaces` - List all workspaces the current user can access
- `workspace(id)` - Get a specific workspace (with access check)

### Mutations

- `createWorkspace(input)` - Create a new workspace (creator becomes owner)
- `updateWorkspace(id, input)` - Update workspace name/slug
- `deleteWorkspace(id)` - Delete workspace (owner only)

## Key Patterns

1. **Workspace Isolation**: All queries filter by workspace membership
2. **Role Hierarchy**: Higher roles inherit lower role permissions
3. **Ownership Guarantee**: Every workspace has exactly one owner

## Dependencies

- Django auth system (`settings.AUTH_USER_MODEL`)
- Used by: All other apps for workspace scoping

## File Structure

```
accounts/
├── models.py      # Workspace, WorkspaceMembership models
├── graphql.py     # GraphQL types, queries, mutations
├── apps.py        # Django app config
└── migrations/    # Database migrations
```