Role split and owner gating

src/types/index.ts

@@ -5,12 +5,39 @@ export interface ZitadelClaims {
   "urn:zitadel:iam:org:project:roles"?: Record<string, Record<string, string>>;
 }
 
-export type PlatformRole =
-  | "platform_admin"
-  | "platform_operator"
-  | "owner"
-  | "user"
-  | "viewer";
+/**
+ * Platform-level roles, granted to PieCed staff only. Hold the IAM-level
+ * authority to administer the entire installation regardless of which
+ * customer org a request lands on.
+ */
+export type PlatformRole = "platform_admin" | "platform_operator";
+
+/**
+ * Customer-level roles, granted by ZITADEL project authorizations on
+ * each customer org's "OpenClaw Platform" project grant.
+ *
+ * Slice 5 dropped the previously-defined `viewer` role. With the portal
+ * acting purely as a control plane (the assistant itself runs at
+ * separate URLs with their own auth), `user` and `viewer` collapsed
+ * to the same surface — read-only access to instance state and usage.
+ *
+ * - `owner` can mutate (packages, workspace files, channel users,
+ *   instance creation, member invites in Slice 7).
+ * - `user` is read-only in the portal. From Slice 6 onwards `user`
+ *   visibility is also narrowed to assigned tenants only.
+ */
+export type CustomerRole = "owner" | "user";
+
+/** Union of all roles a JWT can carry. */
+export type Role = PlatformRole | CustomerRole;
+
+/**
+ * @deprecated Use {@link Role} for the union, or {@link PlatformRole}
+ *             / {@link CustomerRole} when you mean a specific subset.
+ *             Kept as a re-export only so existing imports don't
+ *             explode in mid-migration commits.
+ */
+export type LegacyPlatformRole = Role;
 
 export interface SessionUser {
   id: string;
@@ -18,7 +45,7 @@ export interface SessionUser {
   email: string;
   orgId: string;
   orgName: string;
-  roles: PlatformRole[];
+  roles: Role[];
   isPlatform: boolean;
 }