---
id: document-accesslevel-authorization
name: Document accessLevel Authorization and Identity Cross-References
status: completed
depends_on: []
scope: narrow
risk: trivial
impact: isolated
level: implementation
---

## Description

Two documentation gaps in the identity domain:

1. **S01**: Who can change `accounts.accessLevel`? Can a `user` self-promote? The assumed invariants for application-level access control are undocumented.

2. **S06**: `identity.md:12` lists FK targets but omits `sessions.accountId`. Add it for completeness so the identity doc is a full reference.

## Acceptance Criteria

- [ ] `identity.md` documents authorization rules for `accessLevel` changes (e.g., only `admin` can promote, users cannot self-promote)
- [ ] `identity.md` FK target list includes `sessions.accountId → accounts.id`
- [ ] Rules are consistent with ADR-012 terminology

## References

- docs/reviews/storage-architecture-review-2026-04-21.md#S01
- docs/reviews/storage-architecture-review-2026-04-21.md#S06
- docs/architecture/storage/identity.md

## Notes

> To be filled by implementation agent

## Summary

> To be filled on completion