docs(m4): add business/vendor memberships and clean planning docs

docs/MILESTONES/M4/planning/m4-target-schema-blueprint.md

@@ -25,6 +25,7 @@ Practical meaning:
 3. Not every record starts as a full active user:
 - invite-first or pending onboarding records are valid,
 - then bound to `user_id` when activation is completed.
+4. Business-side users and vendor-side users are partitioned with dedicated membership tables, not only one `userId` owner field.
 
 ```mermaid
 flowchart LR
@@ -41,16 +42,16 @@ The stakeholder labels from the customer workshop map to schema as follows:
 
 1. Buyer (Procurements):
 - Buyer users inside a business/client account.
-- Schema anchor: `users` + `tenant_memberships` + `team_members` (procurement team scope).
+- Schema anchor: `users` + `tenant_memberships` + `business_memberships`.
 2. Enterprises (Operator):
 - Tenant operator/admin users running staffing operations.
-- Schema anchor: `tenants`, `team_members`, command-side permissions.
+- Schema anchor: `tenants`, `tenant_memberships`, `role_bindings`.
 3. Sectors (Execution):
 - Operational segments or business units executing events.
 - Schema anchor: `teams`, `team_hubs`, `team_hud_departments`, `roles`.
 4. Approved Vendor:
 - Supplier companies approved to fulfill staffing demand.
-- Schema anchor: `vendors`, `workforce`, `vendor_rates`, `vendor_benefit_plans`.
+- Schema anchor: `vendors`, `vendor_memberships`, `workforce`, `vendor_rates`, `vendor_benefit_plans`.
 5. Workforce:
 - Individual workers/staff and their assignments.
 - Schema anchor: `staffs`, `staff_roles`, `applications`, `assignments`, `certificates`, `staff_documents`.
@@ -99,15 +100,19 @@ What the exports confirmed:
 Tables:
 1. `users` (source identity, profile, auth linkage)
 2. `tenant_memberships` (new; membership + base access per tenant)
-3. `team_members` (membership + scope per team)
-4. `roles` (new)
-5. `permissions` (new)
-6. `role_bindings` (new; who has which role in which scope)
+3. `business_memberships` (new; user access to business account scope)
+4. `vendor_memberships` (new; user access to vendor account scope)
+5. `team_members` (membership + scope per team)
+6. `roles` (new)
+7. `permissions` (new)
+8. `role_bindings` (new; who has which role in which scope)
 
 Rules:
 1. Unique tenant membership: `(tenant_id, user_id)`.
-2. Unique team membership: `(team_id, user_id)`.
-3. Access checks resolve through tenant membership first, then optional team/hub scope.
+2. Unique business membership: `(business_id, user_id)`.
+3. Unique vendor membership: `(vendor_id, user_id)`.
+4. Unique team membership: `(team_id, user_id)`.
+5. Access checks resolve through tenant membership first, then business/vendor/team scope.
 
 ## 4.2 Organization and Tenant
 Tables:
@@ -121,6 +126,7 @@ Tables:
 Rules:
 1. Every command-critical row references `tenant_id`.
 2. All list queries must include tenant predicate.
+3. Business and vendor routes must enforce membership scope before data access.
 
 ## 4.8 RBAC rollout strategy (deferred enforcement)
 RBAC should be introduced in phases and **not enforced everywhere immediately**.
@@ -250,6 +256,10 @@ erDiagram
   TENANT ||--o{ TEAM : owns
   TEAM ||--o{ TEAM_MEMBER : has
   USER ||--o{ TEAM_MEMBER : belongs_to
+  USER ||--o{ BUSINESS_MEMBERSHIP : belongs_to
+  USER ||--o{ VENDOR_MEMBERSHIP : belongs_to
+  BUSINESS ||--o{ BUSINESS_MEMBERSHIP : has
+  VENDOR ||--o{ VENDOR_MEMBERSHIP : has
 
   BUSINESS ||--o{ ORDER : requests
   VENDOR ||--o{ ORDER : fulfills