Add access control rework

toju-app/src/app/domains/README.md

@@ -6,23 +6,25 @@ infrastructure adapters and UI.
 
 ## Quick reference
 
-| Domain | Purpose | Public entry point |
-|---|---|---|
-| **attachment** | File upload/download, chunk transfer, persistence | `AttachmentFacade` |
-| **auth** | Login / register HTTP orchestration, user-bar UI | `AuthService` |
-| **chat** | Messaging rules, sync logic, GIF/Klipy integration, chat UI | `KlipyService`, `canEditMessage()`, `ChatMessagesComponent` |
-| **notifications** | Notification preferences, unread tracking, desktop alert orchestration | `NotificationsFacade` |
-| **screen-share** | Source picker, quality presets | `ScreenShareFacade` |
-| **server-directory** | Multi-server endpoint management, health checks, invites, server search UI | `ServerDirectoryFacade` |
-| **theme** | JSON-driven theming, element registry, layout syncing, picker tooling, and Electron saved-theme library management | `ThemeService` |
-| **voice-connection** | Voice activity detection, bitrate profiles, in-channel camera transport | `VoiceConnectionFacade` |
-| **voice-session** | Join/leave orchestration, voice settings persistence | `VoiceSessionFacade` |
+| Domain               | Purpose                                                                                                            | Public entry point                                          |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------- |
+| **attachment**       | File upload/download, chunk transfer, persistence                                                                  | `AttachmentFacade`                                          |
+| **access-control**   | Role, permission, moderation, and room access rules                                                                | `normalizeRoomAccessControl()`, `resolveRoomPermission()`   |
+| **auth**             | Login / register HTTP orchestration, user-bar UI                                                                   | `AuthService`                                               |
+| **chat**             | Messaging rules, sync logic, GIF/Klipy integration, chat UI                                                        | `KlipyService`, `canEditMessage()`, `ChatMessagesComponent` |
+| **notifications**    | Notification preferences, unread tracking, desktop alert orchestration                                             | `NotificationsFacade`                                       |
+| **screen-share**     | Source picker, quality presets                                                                                     | `ScreenShareFacade`                                         |
+| **server-directory** | Multi-server endpoint management, health checks, invites, server search UI                                         | `ServerDirectoryFacade`                                     |
+| **theme**            | JSON-driven theming, element registry, layout syncing, picker tooling, and Electron saved-theme library management | `ThemeService`                                              |
+| **voice-connection** | Voice activity detection, bitrate profiles, in-channel camera transport                                            | `VoiceConnectionFacade`                                     |
+| **voice-session**    | Join/leave orchestration, voice settings persistence                                                               | `VoiceSessionFacade`                                        |
 
 ## Detailed docs
 
 The larger domains also keep longer design notes in their own folders:
 
 - [attachment/README.md](attachment/README.md)
+- [access-control/README.md](access-control/README.md)
 - [auth/README.md](auth/README.md)
 - [chat/README.md](chat/README.md)
 - [notifications/README.md](notifications/README.md)
@@ -66,12 +68,12 @@ domains/<name>/
 
 ## Where do I put new code?
 
-| I want to… | Put it in… |
-|---|---|
-| Add a new business concept | New folder under `domains/` following the convention above |
-| Add a type used by multiple domains | `shared-kernel/` with a descriptive file name |
-| Add a UI component for a domain feature | `domains/<name>/feature/` or `domains/<name>/ui/` |
-| Add a settings subpanel | `domains/<name>/feature/settings/` |
-| Add a top-level page or shell component | `features/` |
-| Add persistence logic | `infrastructure/persistence/` or `domains/<name>/infrastructure/` |
-| Add realtime/WebRTC logic | `infrastructure/realtime/` |
+| I want to…                              | Put it in…                                                        |
+| --------------------------------------- | ----------------------------------------------------------------- |
+| Add a new business concept              | New folder under `domains/` following the convention above        |
+| Add a type used by multiple domains     | `shared-kernel/` with a descriptive file name                     |
+| Add a UI component for a domain feature | `domains/<name>/feature/` or `domains/<name>/ui/`                 |
+| Add a settings subpanel                 | `domains/<name>/feature/settings/`                                |
+| Add a top-level page or shell component | `features/`                                                       |
+| Add persistence logic                   | `infrastructure/persistence/` or `domains/<name>/infrastructure/` |
+| Add realtime/WebRTC logic               | `infrastructure/realtime/`                                        |