LedgerOS · Phase 5 · Production Integration Blueprint
Permission Matrix
Six roles × every route group in the Phase 1–4 design. Actions authorized here map 1:1 to the backend permission strings on the API map.
LedgerOS UI Design Lab · Phase 5 blueprint — no backend is connected. Every endpoint, permission, and event listed here is a design contract, not a live API.
Rose
Owner. Final override on cash, guardrails, and pricing exceptions.
Christin
Accounting Lead. Reclassifications, approvals, verification.
Carmen
Systems Reviewer. Attestation and audit — never posts value.
Accountant
Day-to-day ledger operator. Bounded approval limits.
Team
Individual contributors. Submit and view own scope.
Integration
Service accounts. Signed events only — no interactive login.
| Route | Rose | Christin | Carmen | Accountant | Team | Integration |
|---|---|---|---|---|---|---|
| /cash-availability | View · Override | View · Reclassify | View | View | — | Write bucket updates |
| /invoices/* | All | Create · Approve · Send | View · Export | Create · Send | View own client | Sync only |
| /expenses/approvals | Approve · Override | Approve | View | Approve up to $1k | Submit only | Ingest |
| /expenses/policies | Manage | Manage | View | View | — | — |
| /automation/cash-controls | Override | Propose override | View · Attest | View | — | Emit signals |
| /automation/rules | Manage | Manage | Review | View | — | — |
| /automation/bonus-controls | Approve | Verify | Attest | Post payable | View own | Sync payroll |
| /intelligence/leakage | Accept | Verify · Draft invoice | Review | Send invoice | — | Emit signals |
| /intelligence/recommendations | Accept · Reject | Comment | Review | — | — | — |
| /ledger/journals | Post | Post | Attest | Post | — | Post via signed events |
| /audit | View | View | View · Export | View | View own | Append |
Sensitive-value rules
- Bank balances masked for Team; visible to Rose, Christin, Accountant.
- Payroll amounts visible only to Rose, Christin, Accountant.
- Carmen may view and export everything but never post value.
- Integration service accounts may only post signed events — never authenticate interactively.
- Every deny returns an audit event; every override requires a justification string.
