Workspaces
The trust boundary — two graphs, one boundary.
A workspace is the trust boundary of the product: where content persists (inside the TEE) and the unit that membership, sharing, and voice-scope all hang off.
Two graphs, one boundary
- Conclave owns the
user ↔ workspacegraph — who is a member, who owns a meeting, what's shared. - VFTE owns the
voiceprint ↔ scopegraph — which voiceprints may be recognized in which scope.
They meet at exactly one point: settings.fpm_workspace_for(workspace_id) — an opaque scope id
that VFTE treats as meaningless. Neither side trusts the other's internals; both sides gate. That
opacity is precisely what keeps VFTE a general identity layer any product can reuse.
Membership and ownership
- Workspaces are N:N (
workspace_members). A solo Personal workspace is auto-provisioned on login (non-invitable). - Team workspaces are invite-gated: an owner invites by email → invite → accept (magic-link / auto-on-signup) → member row. Owner-only management; the last owner can't be removed.
- Meetings are owner-private by default — bare membership does not expose a meeting. The owner opts in via share-to-workspace (covers future members) or share-to-member.
- The meeting owner is the recorder (stamped at capture), so share / edit / retention / delete / rename light up for whoever actually recorded.
(This is #32, built and merged locally; see Status.)
Scopes are more than workspaces
VFTE scopes can be workspace · person · meeting, with membership edges carrying
{added_by, id_visibility, subject_consent}. The candidate set for identification is
host-dependent, promotion re-triggers consent, and existing voiceprints were migrated onto this
edge model (#2).
ELI5. Your login gets you into a workspace. Your voiceprint being recognized there is a separate, consented thing. You can be a member who is never recognized, or be recognized as a guest who has no login at all.
Source: FEATURE-SPEC.md §2.9 & §4.7, discoveries/WORKSPACES-AND-VFT-GRAMMAR.md, FPM/docs/vft-scoping-model.md.