Workspace — company-level container
At a glance. A workspace is the top-level container in iri. Typically one company = one workspace. All data is isolated inside a workspace; data from one company never mixes with another.
To split into team or project spaces inside a company, use a Sphere.
Developer detail
A workspace is the top-level tenant in iri. One team = one workspace. Every row in the database belongs to exactly one workspace, and every query runs under a workspace context that Postgres RLS enforces.
team
└── workspace ← this page
├── notes (personal garden, no sphere)
├── documents
├── atoms / entities
├── tasks
└── spheres ← see docs/concepts/spheres.md
└── folders ← see docs/concepts/spheres.md
└── notes + memory.md
Use a workspace when you need a hard isolation boundary (separate company, separate paying customer, separate billing). Use a sphere when you need a sub-team or project space inside the same team.
Schema
workspaces (migration 003):
| column | notes |
|---|---|
id |
UUID primary key. Set as app.workspace_id on every tenant query. |
name |
Display name. |
slug |
URL slug (/workspaces/<slug>). Globally unique. |
owner_id |
Better-Auth user id. |
plan |
free | pro | team | enterprise. |
settings |
JSONB. Per-workspace flags: show_agent_attribution, agent_write_approval_required, agent_writes_per_hour, max_doc_size_mb. |
workspace_members:
| column | notes |
|---|---|
user_id or agent_id |
One row per principal. Agents are first-class members. |
role |
admin | editor | viewer | agent_read | agent_write. |
display_name, avatar_emoji |
Per-workspace identity overrides. |
joined_at, invited_by |
Audit trail. |
Note: workspace member roles (admin/editor/viewer) are distinct from sphere member roles (owner/editor/writer/viewer). Same word, different meaning. A workspace admin is not automatically a sphere owner.