Sample manual · real generated artifact
Owner's Manual for an AI bookkeeping app
7 generated chapters from the reviewed repository snapshot. This sample was generated from a real repository snapshot, then anonymized before publishing. It shows the manual format, not a promise that every repo will produce the same depth.
Where to start
Three reading paths through the same evidence.
Global attention board
Chapter 1
How the App Is Organized
The app is built as one bookkeeping product around a workspace. That workspace holds the people, settings, billing limits, and the same bookkeeping sections your team uses to handle statements, expenses, transactions, reports, contacts, chart of accounts, and the AI Bookkeeper. On mobile, the companion app uses the same workspace and adds Capture, Documents, AI Chat, and Settings.
OpenClose
Chapter 1
How the App Is Organized
The app is built as one bookkeeping product around a workspace. That workspace holds the people, settings, billing limits, and the same bookkeeping sections your team uses to handle statements, expenses, transactions, reports, contacts, chart of accounts, and the AI Bookkeeper. On mobile, the companion app uses the same workspace and adds Capture, Documents, AI Chat, and Settings.
One-Minute Snapshot
The app is built as one bookkeeping product around a workspace. That workspace holds the people, settings, billing limits, and the same bookkeeping sections your team uses to handle statements, expenses, transactions, reports, contacts, chart of accounts, and the AI Bookkeeper. On mobile, the companion app uses the same workspace and adds Capture, Documents, AI Chat, and Settings. This chapter is based on the code we reviewed, so it tells you what the app does today, not what you may want it to mean, and it marks where document extraction or integrations may still sit outside this repository.
What You Should Be Able To Explain
- Explain the app as one workspace-based bookkeeping product with web and mobile companion surfaces.
- Name the main workspace sections and understand why statements is the default starting point.
- Distinguish owner, workspace owner, admin, member, and viewer language without collapsing them into one role.
- Identify the main boundaries that the repository does and does not prove, especially around permissions, creation limits, and external processing.
Think In One Workspace
One bookkeeping home
The app is easiest to understand as one bookkeeping product organized around a workspace. That workspace is the unit that keeps the owner’s bookkeeping life coherent: it is where the product’s surfaces, people, and settings belong together instead of scattering across disconnected pages. The practical consequence is that the owner should not read the app as a collection of unrelated tools. The workspace is the frame that gives the rest of the product a single accounting context.
Statements first
Within that workspace, statements are the natural starting point. The manual opens there because the product’s bookkeeping story begins by bringing statement work into view and then branching outward into the other accounting and review areas the owner will meet later in the book. That matters because it tells the owner what the product treats as the center of gravity: not administration for its own sake, but bookkeeping flow. The boundary is important too. Statements are the entry point in the web workspace, but they are not the whole product; the rest of the manual expands from there into the other surfaces that make the ledger usable.
Two companion surfaces
The web app and the mobile app belong to the same workspace story. Mobile is not a separate product line with its own accounting model; it is a companion surface that stays tied to the same workspace and supports on-the-go capture and chat alongside the web experience. For the owner, that means mobile should be read as a way to keep bookkeeping moving when work starts away from the desk, not as an alternate place where the product changes identity. The useful mental model is continuity: one workspace, two surfaces, same bookkeeping mission.
Where certainty stops
This chapter stays honest about a limit that matters in practice: some visible work may still depend on processing or integration boundaries outside this repository. In other words, the fact that the product surface appears in the reviewed code does not always mean every downstream step is visible here. The owner can trust the workspace shape, the default entry point, and the companion relationship between web and mobile, but should treat extraction and external connections as visible product workflows with possible pieces behind them that are not shown here. A good example is a document that appears in the app and then moves into later processing: the interface shows the bookkeeping journey, but not necessarily the entire machinery that completes it.
The diagram shows one workspace connected to two surfaces: the web shell and the mobile companion. Both surfaces lead into the same bookkeeping work, but the web shell carries the broader bookkeeping navigation while mobile stays focused on its companion tabs. The consequence is that the app stays one workspace-based product across devices instead of splitting into separate products.
What The Shell And Roles Actually Do
Navigation
The web shell opens on Statements and keeps the bookkeeping sections together in the sidebar: Dashboard, Statements, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings. That ordering matters because the first screen is the working ledger, not account administration. The shell is organized around bookkeeping work first, with settings available when the owner needs them, rather than around a generic account dashboard.
Role Checks
The important pattern is that access is action-specific, not one global gate. Member-management actions are stopped in the interface before the person can act, while general settings writes are sent to the server and rely on the server-side admin-only rule if the local check does not catch them first. In other words, the product uses a visible guard for some operations and a final server guard for others. For the owner, that means a failed action does not always mean the same thing: a blocked member invite is a different failure from a settings save that reaches the server and is then rejected. There is also an open question about whether the client should grow its own explicit precheck for general settings, so the manual should not imply that the current local guard is the only line of defense.
The table below shows the split the reviewed shell actually establishes. Privileged roles share most access, members are narrower, and viewers are blocked.
| Workspace role | Member management | General settings writes | New workspace creation |
|---|---|---|---|
| Workspace owner and admin | Allowed | Allowed, with server-side admin-only enforcement as the final gate | Allowed when billing and account state permit it; the shell disables the action when it is not |
| Member | Blocked | Blocked | Blocked in the reviewed shell |
| Viewer | Blocked | Blocked | Blocked in the reviewed shell |
This is the practical consequence of the shell design: the product does not treat role as a single yes-or-no state. It uses role to separate privileged bookkeeping control from ordinary participation, and then it uses account state as an additional check on creation. The boundary that stays visible here is important too: the shell tells you how the current checks behave, but it does not prove that every future settings path will keep the same split between local and server-side enforcement.
Workspace Creation
Workspace selection and creation are still role- and billing-bound, not free-form. The shell lists the workspaces the person belongs to and marks owners, then disables new-workspace creation when the account is not allowed to create one. The reviewed backend also blocks locked accounts and trial users who already own an active workspace, so the create path is guarded before a workspace record is inserted. When creation is refused, the shell handles it in place with a failure toast instead of sending the reader through a separate billing redirect. For the owner, the consequence is simple: a create attempt can fail cleanly at the shell boundary, and the failure is surfaced immediately rather than turning into a separate billing journey. The limit is worth keeping in mind, though: the evidence proves the in-place failure path that exists today, but it does not establish that this is the only creation flow the product could ever use.
Mobile Companion
Mobile follows the same workspace model, but its operational contract is different from the web shell because it is built around capture and chat. Capture and Documents both require an active workspace, upload the file first through a signed path, and only then start extraction. That ordering means the app does not hand raw files straight to processing; it stages the upload, then asks for extraction, and Documents can poll extraction jobs after that. Capture queues the chosen receipt or bill as soon as upload finishes, so on-device capture becomes another entry into the shared ingest pipeline rather than a separate local queue.
For the owner, the consequence is that a receipt photographed on mobile and a document uploaded elsewhere both enter the same bookkeeping flow. The app is not creating a second account model or a second processing path for those files. AI Chat stays inside the same workspace too, but it is gated differently. The client sends workspace and session information, the server checks membership, workspace state, and usage limits, and one chat credit is deducted before model work begins. If credit deduction fails, the stored user message is removed, so the request does not proceed as a free answer. That makes the chat experience workspace-scoped from the start and credit-aware before any model response is produced. The boundary remains local and specific: the reviewed evidence shows the gating and ordering around mobile ingestion and chat, but it does not describe the internals of extraction or the language model itself.
The diagram separates the in-app path from the server-side path. Member-management actions are stopped by a local guard before they can continue, while general settings writes can leave the screen, reach the server, and then pass or fail the admin-only check. The consequence is that the UI does not act as one single permission wall; some protection only happens after the write reaches the server.
The diagram shows mobile capture and web documents feeding the same signed upload step. After upload succeeds, workspace-scoped details are attached and the extraction job starts. The consequence is that processing cannot begin from a raw capture; upload staging is the gate for both surfaces.
What The Reviewed Evidence Confirms
Web And Mobile Surfaces
The reviewed evidence confirms one workspace with two active surfaces. On the web, the shell opens in Statements and exposes the main bookkeeping sections from the sidebar. On mobile, the companion keeps the same workspace scope but narrows the surface to Home, Capture, Documents, AI Chat, and Settings. That difference matters because the phone is not a second product line; it is a narrower front door into the same workspace.
| Surface | Default landing or home | Main navigation | Workspace switching | Document capture and upload | AI chat |
|---|---|---|---|---|---|
| Web workspace shell | Statements | Dashboard, Statements, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, Workspace Settings | Workspace selection is available in the shell | Shared document upload flow in the workspace | Not surfaced in the reviewed shell navigation |
| Mobile companion | Home | Home, Capture, Documents, AI Chat, Settings | Inside Settings when more than one workspace exists | Capture and Documents use the shared upload-then-extract flow | Present as a workspace-scoped tab |
The table shows a shared workspace with different jobs on each surface. The web shell is the broader bookkeeping workspace, while mobile is the companion surface for capture and workspace-scoped chat. The evidence does not show two separate account models, and it does not suggest that switching workspaces on mobile happens anywhere except Settings when more than one workspace is available.
Web Default And Settings Limits
The web shell's default landing point is Statements, even though Dashboard and the other bookkeeping sections are available alongside it. In practice, that means the product chooses a statement-first starting point for the workspace rather than a dashboard-first one. For an owner, the consequence is simple: if you open the workspace to see where work begins, Statements is the first place the product sends you.
The settings surface is narrower than a generic profile page. The reviewed evidence only confirms writes for workspace name, currency, timezone, date format, and fiscal-year fields, and it confirms backend enforcement that only admins can apply those writes. The local settings experience may or may not add its own precheck; this review does not establish that part. What it does establish is the boundary itself: if a change is outside that field set, the evidence here does not prove that the product supports it.
Membership And Integration Boundaries
Membership changes do not happen through one loose edit path. Invite creation, invite acceptance, invite decline, and member removal each travel through their own guarded path, and each path checks its own conditions. That is important because it keeps membership control explicit: a person cannot be added, accepted, declined, or removed just by the presence of a screen. The path itself has to authorize the action. In the reviewed behavior, invite acceptance and decline depend on matching invite details, and member removal is protected so the workspace owner cannot be removed through that route.
The Xero integration shows a different kind of boundary. The visible card is disabled, but the server-side authorization and disconnect flows are still live and can change integration state. So the disabled card should not be read as proof that the integration no longer exists; it only means the visible UI is not the active control surface right now. For an owner, the consequence is that integration state can still move even when the screen looks inert.
The diagram compares two outcomes from workspace creation. Locked accounts and trial users who already own a workspace are stopped before creation finishes. By contrast, if the billing quantity is missing, the create path does not stop there. The consequence is that quota enforcement can drift open when billing data is incomplete.
What Is Solid Here
One workspace, one vocabulary
The strongest thing about this foundation is that it reads as one product instead of several loosely connected parts. The web shell opens the workspace in statements by default, and the surrounding navigation keeps the main bookkeeping sections in one shared frame. That matters because the owner does not have to learn a different mental model for each surface or each task: the same workspace, the same bookkeeping terms, and the same starting point keep the product legible.
This coherence is not just cosmetic. It gives the owner a stable way to explain the product to a team, a bookkeeper, or a support person without constantly translating between screens. When the manual says statements, transactions, reports, contacts, chart of accounts, or AI Bookkeeper, it is describing parts of one bookkeeping system rather than separate modules with separate rules. The result is less room for confusion about where work belongs.
Boundaries that are visible
The other strong point is that the reviewed evidence does not hide the risky edges. It shows where role differences matter, where workspace creation is constrained, where membership control is explicit, where chat uses workspace credits, and where an integration can still exist as a server-side boundary even when the visible web surface is disabled. For an owner, that is more useful than a vague promise of control, because it tells you which actions are ordinary navigation and which ones change account state, permissions, or cost.
A simple example makes the value concrete. If a workspace owner asks why a member cannot do a particular action, the answer is not hand-wavy: some actions are blocked by role checks in the product, workspace creation can be gated by billing or trial state, and chat consumes a credit before model work begins. That makes operational problems easier to diagnose, and it reduces the chance that a UI label is mistaken for the whole permission model.
Where confidence stops
The manual can be confident about the current shape of the product, but it should stop where the repository evidence stops. Document capture, extraction, and some integration behavior are visible enough to describe as product workflows, yet they may cross into processing or provider boundaries that are not fully contained here. That boundary is a strength because it keeps the manual honest: it can describe what the owner will see and decide against, while still marking the places where the deeper machinery may live elsewhere.
That honesty matters in practice. If a document upload succeeds but downstream processing behaves oddly, the owner should know that the visible workflow is only part of the story. The manual does not need to invent the hidden machinery to be useful; it only needs to say, precisely, that the workspace model, navigation, permissions, creation gates, membership control, and credit handling are solidly established, while extraction and some integration paths remain bounded by what the reviewed evidence proves.
Attention Cards
Owner Decisions
Evidence Boundary
Evidence boundary
Reviewed
- The web workspace shell, its default landing point, and the main bookkeeping sections it exposes.
- The mobile companion tabs, workspace switching behavior, capture flow, documents flow, and AI chat flow.
- The main workspace authority paths for settings, creation, membership, invites, and integration state.
- The shared upload-then-extract document flow and the workspace-scoped reconciliation and transaction paths.
- The places where the reviewed behavior crosses into external processing or backend-only enforcement.
Not reviewed
- Source files, route trees, or implementation details that would turn this chapter into a code tour.
- Adjacent chapters’ detailed workflows such as statement reconciliation, expense document handling, reporting, and mobile deep dives.
- Any external extraction or integration system that is only visible through the product boundary, not proven end to end here.
- Owner intent that was not supplied in the reviewed knowledge for this run.
If the shell, settings, capture, documents, chat, creation gates, membership paths, or integration boundaries change, re-check the live product behavior and compare it with the reviewed evidence before changing this chapter.
Chapter 2
From Statements to Transactions
The reviewed code shows one workspace flow: the web app drops you into Statements, web and mobile both upload a file before extraction starts, and the extracted statement only becomes durable transaction data when reconciliation is completed. From there, the Transactions page edits the reconciled ledger and Reports read the same ledger.
OpenClose
Chapter 2
From Statements to Transactions
The reviewed code shows one workspace flow: the web app drops you into Statements, web and mobile both upload a file before extraction starts, and the extracted statement only becomes durable transaction data when reconciliation is completed. From there, the Transactions page edits the reconciled ledger and Reports read the same ledger.
One-Minute Snapshot
The reviewed code shows one workspace flow: the web app drops you into Statements, web and mobile both upload a file before extraction starts, and the extracted statement only becomes durable transaction data when reconciliation is completed. From there, the Transactions page edits the reconciled ledger and Reports read the same ledger. This is built from the code, so it shows what the app does today, not the intent you may still need to confirm.
What You Should Be Able To Explain
- Explain why Statements is the starting point for this part of the product.
- Explain the path from upload to extraction to review to reconciliation to trusted transaction data.
- Explain which steps are guarded, retry-based, or destructive, including duplicate handling and reopen.
- Explain how web, mobile, Transactions, and Reports fit into one shared bookkeeping story.
One pipeline, one ledger
Statements first
Statements is the front door for this part of the product. The workspace opens there by default, so imported activity begins in the same place the owner is expected to review it. That matters because it gives the product a single starting point for statement work instead of scattering intake across different screens. If you are trying to understand where imported documents become bookkeeping work, start by thinking: statements enter first, everything else follows.
One intake across web and mobile
Web and mobile are two surfaces on the same workspace-scoped intake flow, not separate bookkeeping systems. The practical consequence is that a document captured on mobile and a file uploaded in the web app belong to the same bookkeeping story once they enter the workspace. The owner does not need to treat them as two ledgers or two independent queues; they are two doors into one pipeline.
A useful way to picture this is that the device choice changes how the document gets into the workspace, but not what kind of bookkeeping object it becomes. A member might snap a receipt on the phone while traveling, then later review the same workspace in the web app. Those are different moments in capture, but not different accounting worlds.
Reconciliation is the commit point
The real handoff happens at reconciliation completion. Before completion, statement work is still in review: it may be extracted, checked, corrected, or left unresolved. After completion, the same activity stops being just a statement record and becomes durable transaction data. That is the point where the app treats the work as ready to live in the bookkeeping ledger.
This is why completion carries so much weight for the owner. It is not just a status change in the UI; it is the step that turns reviewed statement activity into the accounting record the rest of the product can trust. The boundary is important too: incomplete work is still provisional, and the manual should not treat it as final just because it has been imported or partially processed.
Downstream views follow the ledger
Transactions and Reports sit downstream of that reconciled ledger. Transactions is where the owner works with the reconciled records directly, and Reports read from the same underlying set. That means later changes to reconciled transactions can move what the owner sees in both places. If a category is corrected or a matched document is adjusted after reconciliation, the ledger changes, and the downstream views reflect that change.
That shared source is the main mental model to keep. The product is not maintaining one story for Transactions and a different story for Reports. It is keeping one bookkeeping spine, then showing it through different lenses. So if a number shifts in a report, the right question is usually not "which screen is lying?" but "what changed in the reconciled ledger?"
In practice, this gives the owner a simple rule: review happens in Statements, finalization happens at reconciliation completion, and everything after that is a view onto the same committed bookkeeping data.
Web upload and mobile capture both feed one staged upload step. From there the file moves into extraction, then statement review, then reconciliation completion. Once reconciliation is complete, the work becomes shared ledger data, and both Transactions and Reports read from that same ledger.
From upload to reconciliation
Upload first
Both web and mobile follow the same intake sequence: the file is staged through a signed upload location first, and only then does the product start extraction with workspace-scoped details such as the workspace, file location, file name, file type, file size, and job token. That order is the point. The system is not accepting a raw document and hoping for the best; it is accepting a verified upload and then asking for extraction against that staged file. If the upload step never succeeds, extraction never starts.
In practice, that means the client has to finish the handoff to storage before it can ask for bookkeeping work. A member cannot skip straight from choosing a document to a processed statement. The document has to exist in the intake pipeline first, and only then can the workspace ask the extraction service to do its job.
Front-door checks
Extraction start is guarded on the conditions that would make the work unsafe or unauthorised. The caller has to be signed in, belong to the workspace, and pass the workspace lock check. The upload token has to be valid, the file has to pass validation, and the workspace has to have enough credit balance to allow the run. Those checks fail closed, so the system stops before creating work when any of them are not satisfied.
The duplicate-upload check is different. It is helpful when it works, but it is not the main gate. If the system can confirm that the file was already processed, it can treat the extraction as a duplicate and stop that path. If the duplicate lookup itself fails, the job still continues to enqueue. That is the boundary the owner needs to understand: duplicate suppression is best-effort, not a hard guarantee. So a temporary lookup failure can still let another extraction job through and consume more work or credits.
After extraction succeeds
Once extraction reaches success, the product does not stop at “file processed.” It stores the result, enriches the statement record, and updates related bookkeeping data such as contacts and financial accounts. Credits are charged only after that successful write. The order matters because the product records the usable bookkeeping outcome before it records the cost of the run.
While extraction is still unresolved, the product keeps polling until the job settles into a terminal state. That means the system does not guess early. It waits for the non-terminal work to finish, then either records the successful result or leaves the job in a failed state. For the owner, that separates “work in progress” from “work that has become part of the books.”
State to effect
| Pipeline stage | What must already be true | Main checks or actions | How it settles | |---|---|---|---| | Extraction start | The file has already been uploaded through a signed location, and the caller has a valid workspace context. | The product checks sign-in, workspace membership, workspace lock state, upload token validity, file validation, credit balance, and a best-effort duplicate-upload check. | The job is enqueued, or it is rejected before extraction begins. | | Extraction success | The extraction job has reached a successful terminal state. | The product stores the result, enriches statement data, and then deducts credits. | The statement data becomes durable, and the charge is recorded after success. | | Reconciliation start | The statement is still in progress, and the caller has the right workspace role. | The product refuses concurrent workspace runs, checks the workspace lock, writes the run bundle, and enqueues the reconciliation run. | The run enters the queue and moves into polling. | | Reconciliation polling | A reconciliation run is already queued or running. | The page keeps polling through pending and transient states. | The run ends in a terminal outcome or times out. |
Reconciliation as a controlled run
Reconciliation starts only from an in-progress statement, not from a finished one. It also runs with workspace-level serialization, so the product blocks another run from starting while one is already active for the workspace. That prevents two people from trying to finalize the same bookkeeping work at the same time.
The run then follows a polling loop. The page keeps checking while the run is pending or in another non-terminal transient state, and it stops only when the outcome is terminal or the attempt times out. That gives the owner a controlled finish line: the system can wait, retry, or block, but it does not silently announce completion before the run has settled.
A simple example makes the flow concrete. A member uploads a statement, the file is staged through the signed upload path, extraction is requested with the workspace metadata, the system blocks the request if the workspace is locked or the credits are not available, and a duplicate check only stops the job when it can confirm the repeat. If extraction succeeds, the result is stored and credits are charged afterward. If the statement is still in progress, reconciliation can then start and keep polling until it either finishes cleanly or times out.
The intake path requires the user to be signed in, belong to the workspace, work in an unlocked workspace, present a valid upload token, pass file checks, and have enough credit before extraction starts. A separate repeat-file check can stop a known duplicate, but if that lookup fails the job can still continue and enqueue.
Facts the evidence pins down
The evidence makes the workspace shape and its role gates concrete. Statements is the default landing place in the web shell, and the main navigation groups the bookkeeping surfaces together: Dashboard, Statements, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings. That matters because the product does not hide the statement flow behind a separate entry point; it presents it as the first stop in the bookkeeping workspace, with the other surfaces arranged around it.
The transaction ledger is shared
The Transactions page reads the reconciled ledger directly, not a copy of it. It supports search, tab, and date filters, and changes to category or matched-document fields write back to that same ledger for active members and admins. The practical consequence is that a transaction edit is not just a display tweak: it changes the bookkeeping record that Reports later reads. A member can therefore affect downstream reporting numbers only within the permissions the product gives them, while a viewer cannot make those edits at all.
Reconciliation has hard finish conditions
Completing a reconciliation is gated by both role and state. The evidence shows that an active member or admin can complete it, but only when there are no unresolved items and the required fields are present. Version 3 relaxes one edge of that rule by allowing a missing payee, and the completion step can also create or revive contacts as part of finalizing the work. In owner terms, this is the line between an in-progress statement review and durable transaction data: if the review is still incomplete, the product does not let it become a finished reconciliation yet.
A concrete case makes the boundary clear. If a month-end statement still has one unresolved line, completion should stop there. If that same statement is otherwise ready and the workspace is on version 3, the absence of a payee does not necessarily block completion, and the product may create the contact record it needs during that finish step. That is a bookkeeping rule, not a cosmetic one, because it determines what becomes trusted ledger data.
Locked reconciliations are special
Reopen is narrower than normal transaction editing. It only appears for locked reconciliations, and it is limited to owner or admin in both the client and the backend policy. That means an active member can work on transactions and can complete reconciliation when allowed, but cannot reopen a locked reconciliation once the product has treated it as closed. Viewers have no access to these write paths.
| Role | Edit transactions | Complete reconciliation | Reopen locked reconciliation |
|---|---|---|---|
| Owner or admin | Yes | Yes | Yes |
| Active member | Yes | Yes | No |
| Viewer | No | No | No |
The important pattern is that the same bookkeeping surface carries different gates depending on the action. Editing a transaction, finishing a reconciliation, and reopening a locked reconciliation are related, but they are not interchangeable. An owner who needs to fix a finalized period has a privileged reopen path; an active member can still work the ledger inside the normal reconciliation flow; a viewer can only observe.
A reconciliation starts in review. When it is completed, it becomes trusted ledger data. That finalized reconciliation can then sit in a locked state. If a privileged user reopens it, the finalized rows are removed and the work goes back into review so it can be edited again.
What is genuinely solid
One spine, not three systems
The strongest part of this product is that it does not split bookkeeping into separate truths. Imported activity comes in through one intake path, reconciliation is the handoff where reviewed activity becomes durable, and Transactions and Reports both read from the same reconciled ledger. For the owner, that means one correction changes the underlying record instead of living only on one screen. If a member fixes a miscategorized line in Transactions and then opens a report, the report moves with that same ledger rather than preserving a second version of the books. The boundary matters: the shared spine is real, but each report still has its own reporting window, so the product is unified in data source, not flattened into identical views.
Web and mobile stay aligned
The web workspace and the mobile companion share the same capture contract: the file is staged first, and extraction starts only after that staging succeeds. That is a quiet strength because it keeps the bookkeeping story teachable. The owner does not need one explanation for desktop and another for phone; a statement or receipt captured on mobile enters the same intake shape as one uploaded in the web app. That reduces drift in support, training, and expectation setting, because there is no separate side queue that later has to be reconciled by hand. The limit is equally important: shared intake does not make the two surfaces identical in presentation or task focus. It keeps the workflow aligned, not the interface.
Guardrails are layered
Sensitive actions are not left to a single weak check. The interface blocks some privileged actions up front, but the server still decides whether a write lands. That layered shape matters where bookkeeping mistakes would otherwise stick: transaction edits are only accepted for active members and admins, and reopening a locked reconciliation is reserved for privileged roles. Even workspace settings writes still appear to depend on server-side enforcement rather than a separate visible precheck, which is why the safety net feels stronger than a simple disabled button. For the owner, the practical benefit is that accidental clicks are less likely to become lasting ledger changes. The qualifier is that this is strong layered protection, not a guarantee that every future path will use the same visible guard in the same way.
Attention Cards
Owner Decisions
Evidence Boundary
Evidence boundary
Reviewed
- The web workspace shell and its default Statements landing point.
- The shared upload-then-extract intake path on web and mobile.
- Extraction status handling, result writing, credit timing, and reconciliation run behavior.
- The Transactions page, Reports, and the reopen path for reconciliations.
Not reviewed
- Expense-document-specific workflow details beyond the statement-to-transaction path.
- Workspace billing, membership, and integration behavior except where they affect this flow.
- External extraction provider internals and any repository areas not reflected in the reviewed knowledge.
- Mobile chat and other companion features that do not change the statement-to-transaction flow.
If the product changes, recheck the default workspace route, every upload path, the extraction status order, reconciliation completion and reopen rules, and the tables that Transactions and Reports read from.
Chapter 3
Bills, Receipts, and Expense Documents
Statements still lead the workspace, but bills, invoices, and receipts run as a parallel lane beside them. In web and mobile, the product first stages the upload, then starts extraction, and only after that writes the extracted data back into workspace records. That means the document is not trusted at capture time; it becomes useful only after the review path finishes.
OpenClose
Chapter 3
Bills, Receipts, and Expense Documents
Statements still lead the workspace, but bills, invoices, and receipts run as a parallel lane beside them. In web and mobile, the product first stages the upload, then starts extraction, and only after that writes the extracted data back into workspace records. That means the document is not trusted at capture time; it becomes useful only after the review path finishes.
One-Minute Snapshot
Statements still lead the workspace, but bills, invoices, and receipts run as a parallel lane beside them. In web and mobile, the product first stages the upload, then starts extraction, and only after that writes the extracted data back into workspace records. That means the document is not trusted at capture time; it becomes useful only after the review path finishes. The reviewed evidence also shows this flow can touch contacts and other bookkeeping records, but it does not prove a separate bill-category model, so that boundary stays with the controls chapter. Two owner risks are already visible: duplicate-file checks can miss when the lookup fails, and bill cleanup can stop halfway through.
What You Should Be Able To Explain
- Explain that bills, invoices, and receipts are one document lane beside statements, not a separate product.
- Explain the upload -> extraction -> review sequence and where a document becomes trusted.
- Explain which checks block extraction and where duplicate detection is only best-effort.
- Explain the main cleanup and state risks that can leave partial or duplicated expense-document work.
Mental Model: one intake lane beside statements
A second lane, not a second product
Bills, invoices, and receipts live beside statements as a parallel bookkeeping lane. The important mental shift is that this is not a separate app or a separate kind of workspace. It is another way documents enter the same bookkeeping environment, with the same owner expectation that captured paperwork should eventually become something the workspace can use.
That framing matters because it keeps the product model consistent. Statements remain the main spine of the workspace, but expense documents are not outside that spine; they are adjacent to it. For an owner, that means the question is not "Which product should I use for bills?" but "Which intake path should I use for this document type?" The answer is that bills and receipts follow their own lane, while still belonging to the same workspace story.
A candidate first, useful later
At capture time, an expense document should be treated as a candidate, not as trusted bookkeeping data. It only becomes useful after the upload step has been staged and extraction has completed. Until then, the document is in transit: it has been accepted into the flow, but it has not yet been turned into workspace data that other bookkeeping screens can rely on.
That sequence is the owner-visible boundary. If processing is still running, the safest assumption is that the document has not yet finished becoming part of the bookkeeping record. Once extraction completes, the document can contribute usable information back into the workspace. This is why the flow is designed as intake first and usefulness second, rather than as an instant write-through capture tool.
A simple example is a supplier receipt captured on the way out of a meeting. The upload may succeed quickly, but the owner should still treat the receipt as pending until extraction finishes. Only after that point does it become something that can be relied on as part of bookkeeping work.
It reaches into the same bookkeeping data
Expense-document extraction is not isolated. The reviewed evidence shows it can touch contacts and related bookkeeping records, which means this lane writes into the same workspace data model that supports the rest of bookkeeping. In practical terms, the system is not just storing an image of a bill; it is trying to connect the document to the people and records the workspace already understands.
That is useful because it helps the workspace turn a receipt into something operational, not just archival. A document that identifies a vendor can contribute to contact records, and related bookkeeping data can be enriched as part of the same flow. For the owner, that means the value of this lane is not only document storage. It is the chance to connect imported expense evidence back to the bookkeeping structure the workspace already uses.
The boundary is important, though. The evidence supports contact and related-record enrichment, but it does not establish a separate bill-category model here, so that belongs with the controls chapter rather than this one. The safe mental model is therefore simple: expense documents are a parallel intake lane that starts as a candidate, becomes useful after extraction, and then joins the same bookkeeping world as contacts and other related records.
The workspace shell leads to statements and also to an expense document lane. That lane accepts uploads from web and captures from mobile, and both feed the same bookkeeping workspace. The consequence for the owner is that bills, invoices, and receipts are route choices inside one workspace, not a separate product.
How It Works: upload, extract, verify, then charge
One intake path on web and mobile
Web and mobile use the same intake pattern for bills, invoices, and receipts: the file is staged through an upload link first, and extraction only starts after that staging step succeeds. That order is the load-bearing part of the flow. It means the product is not trying to process a raw file the moment a member picks it; it first gets the document into the shared ingest lane, then decides whether the workspace is allowed to spend work on it.
For the owner, that split matters because it changes what counts as a real submission. A document that has been selected but not successfully staged is still just an attempt. The system only has something it can work with after the upload step completes and the extraction starter has enough workspace-scoped context to proceed. This is also where the chapter stays separate from statement-specific reconciliation: the same bookkeeping product has another document lane, but this section is only about the document intake path that precedes extraction.
The gates before work is queued
Before extraction is enqueued, the starter fails closed on the checks that protect the workspace from the wrong kind of work. It blocks bad authentication, the wrong workspace role, a locked workspace, invalid files, missing upload proof, and low credit. In practical terms, the product does not quietly continue past those conditions and hope for the best. If the caller is not properly allowed to act, if the workspace is not in a usable state, or if the file itself does not pass validation, the job does not move forward.
That behavior matters because it keeps the intake lane from turning into an expensive catch-all. A locked workspace should not keep accumulating document work, and a member without the right workspace standing should not be able to push extraction through by accident. Low credit is treated the same way: the system refuses to start work it already knows it should not fund. The boundary is that these are start-time checks. They tell you what can be queued, not how a later review should interpret the document once it exists.
| Condition or stage | Result for the extraction job |
|---|---|
| File staged through the upload link | The system has enough staged input to start considering extraction. |
| Bad authentication, wrong workspace role, locked workspace, invalid file, missing upload proof, or low credit | Extraction is blocked and does not enqueue. |
| Duplicate-file lookup succeeds and finds a match | The system records the duplicate outcome instead of treating it as a normal new job. |
| Duplicate-file lookup fails | The job can still enqueue; duplicate checking is best-effort. |
| Extraction succeeds | Results are written first, then credits are charged afterward. |
Duplicate checking is cautious, not absolute
The duplicate-file check is a useful guard, but it is not the final authority on whether the job can proceed. The evidence shows it is best-effort: if the lookup works and finds a duplicate, the product can surface that outcome and avoid treating the upload as a fresh document. If the lookup itself fails, the job is still allowed to enqueue. That is a deliberate tradeoff in the current behavior, and it is the point where the flow stops being strict.
For the owner, the consequence is simple but important. Duplicate protection reduces unnecessary work when it succeeds, yet an outage or lookup failure in that check can still allow another extraction job to be created. That means duplicate handling is not a guarantee against repeated work or repeated charging pressure. The evidence does not establish whether that should remain the long-term policy; it only shows that the current path prefers progress over stopping the intake lane when the lookup is unavailable.
Success writes first, charges later
When extraction succeeds, the system does not charge first and fill in the bookkeeping record afterward. It writes the results first, then deducts credits. Along that successful path, it can also enrich contacts and related bookkeeping records, including updating financial account data that belongs with the extracted document. The ordering matters because it makes the saved bookkeeping work the primary outcome of a successful run, with billing following behind it.
That order changes the owner’s risk profile. A successful extraction is meant to leave durable bookkeeping data behind even before the credit side is settled, so the product is not depending on billing timing to make the document useful. The boundary is equally important: the evidence shows this write-first pattern on the successful path, but it does not prove every downstream bookkeeping detail or every enrichment rule. What is established is narrower and still useful: the system stores the extracted result before it charges for that work.
A concrete example helps. Suppose a member uploads a receipt from the web app while the workspace is active and the file passes validation. The upload is staged, the extraction starter checks that the member is allowed to proceed, and the job is queued. If the duplicate lookup is unavailable at that moment, the job may still go through. If extraction later succeeds, the product saves the result, may update the related contact or financial account data, and only then reduces the credit balance. If any of the start checks fail instead, the document never reaches the queue at all.
A document starts as a candidate. It becomes staged only after the upload step succeeds, then extraction runs, then the results are written back, and only after that are credits charged. The consequence is that the document is not trusted at capture time; it becomes trusted only after the successful write-back step.
One branch shows the lookup working: a match is found and repeat work is stopped. The other branch shows the lookup failing: the job still queues anyway. The consequence is that duplicate detection reduces waste when it succeeds, but a lookup failure can still allow another extraction job.
Verified Facts: the parts we can point to
Where the workspace opens
The workspace shell lands in Statements by default and keeps Expenses in the main navigation alongside the rest of the bookkeeping surface. For an owner, that is a concrete signal about the product’s structure: statements are still the entry point, but expense documents are not hidden off to the side. They are exposed as a first-class area in the same shell. The boundary is equally important. This does not mean expense documents replace statements or get a separate product lane; it means the product makes both visible inside one workspace frame.
One intake contract on web and mobile
The mobile Capture and Documents views use the same upload-then-extract sequence as the web flow. A document is staged through a signed upload step first, and extraction starts only after that staging succeeds. The Documents view then watches extraction jobs for the active workspace, while Capture queues the chosen receipt or bill through the same path after upload. The practical consequence is that mobile is not a separate local intake system. It feeds the same shared document flow, so the owner can expect the same basic gating and the same workspace scope across surfaces. What the evidence does not establish is any special mobile-only shortcut that bypasses upload staging or extraction review.
Delete paths are not symmetrical
The reviewed evidence shows a meaningful difference between the statement-side and bill-side cleanup paths. The statement path is guarded before cleanup proceeds, while bill deletion is split into two separate removal steps. That matters because the order of cleanup changes the risk of partial state: the statement path is designed to protect completed bookkeeping work before it clears the duplicate-file marker, but the bill path can stop after removing one record and before removing the next.
| Delete path | Precheck | Cleanup order | Failure risk |
|---|---|---|---|
| Statement-side delete | Checks for completed reconciliations before cleanup proceeds | Cleans up the statement record and then clears the duplicate-file marker | Lower risk of leaving protected bookkeeping state in an unsafe condition |
| Bill delete | No equally strong precheck is established in the reviewed evidence | Deletes extracted results first, then deletes the extraction job record | A mid-way failure can leave partial cleanup behind |
The owner-facing implication is simple: statement deletion is more carefully guarded, while bill deletion can be only partly successful. In the bill case, a failure midway is not treated as impossible by the evidence we have; it is an explicit risk. That is why the bill path should be read as cleanup in stages, not as an all-or-nothing operation.
The bill starts present. Deletion removes the saved result first, then tries to remove the job record. If the second step succeeds, cleanup finishes; if it fails, partial cleanup remains. The consequence is that bill deletion can stop halfway through and leave the workspace only partly cleaned.
Strengths: where this flow is already solid
One contract across surfaces
The strongest property of this flow is that it does not split the owner’s story between web and mobile. Both surfaces feed the same document contract, so a bill, invoice, or receipt behaves the same way whether a member starts it on the desktop workspace or captures it on the phone. That matters because it reduces the chance of two different habits forming around the same bookkeeping task. A team does not need one rule for “documents captured on mobile” and a second rule for “documents uploaded on web.” It has one intake shape, one review expectation, and one place where the document becomes useful.
That consistency is not just cosmetic. In practice, it keeps training and support simpler, and it makes the owner’s process easier to standardize across a team. If someone is traveling and captures a receipt on mobile, the owner can still expect it to enter the same workspace flow later, instead of turning into a side path with its own behavior. The boundary is important: this does not prove that every downstream bookkeeping outcome is identical in every case, only that the capture contract itself is shared and coherent across the two surfaces.
Failure before waste
The second strength is that the flow refuses bad starts early, before the system spends effort on extraction. When authentication, workspace access, workspace lock state, upload proof, file validity, or available credits are wrong, the process fails closed rather than trying to push forward anyway. For the owner, that is a useful kind of conservatism: it prevents an invalid document from quietly consuming processing capacity and then forcing cleanup later.
That early gate also protects the bookkeeping lane from becoming noisy. If a workspace is locked, or the caller is not allowed to operate in that workspace, the flow stops at the edge instead of producing half-finished document work that someone has to untangle later. The one important qualifier is duplicate detection: it is only best-effort. So the system is strong at stopping clearly invalid starts, but it is not perfect at preventing a duplicate when the lookup itself does not come back cleanly.
Persist first, bill later
The third strength is the order of successful completion. When extraction succeeds, the system stores the results first and only then charges credits. That separation matters because it protects the owner from paying for work that did not actually land in the workspace. The bookkeeping value arrives before the credit cost is taken.
This makes the flow more resilient to timing problems. Suppose a receipt finishes extraction and the workspace record is written successfully, but the credit deduction happens afterward. The owner still has the extracted bookkeeping data even if the billing step is delayed or has to be retried. The system is therefore less fragile than a design that charges first and only later tries to save the result, because a billing hiccup would not erase the completed bookkeeping work. The limit is narrow but important: this is a durability advantage, not a guarantee that every later step in the surrounding workflow is free of cleanup risk.
Attention Cards
Owner Decisions
Evidence Boundary
Evidence boundary
Reviewed
- The workspace shell defaults to statements and shows Expenses alongside the other bookkeeping sections.
- Web and mobile both stage an upload before starting extraction.
- The extraction starter checks access, workspace state, file validity, and credits before it queues work.
- Successful extraction writes results first and charges credits afterward.
- Bill deletion is a separate cleanup path from statement deletion, and the two paths do not behave the same way.
- Mobile capture and the Documents tab use the same ingest contract as the web flow.
Not reviewed
- A dedicated bill-category assignment rule for expense documents.
- The internal implementation of the external extraction provider.
- Any billing policy beyond the observed credit check and post-success charge order.
- Any downstream accounting or reporting effects beyond the document flow itself.
Re-check the upload entry points, the extraction starter, the status updater, and the delete paths if document routes, credit rules, or cleanup ordering change. If later evidence proves a dedicated bill-category path, move that out of the uncertainty bucket and into the chapter's verified facts.
Chapter 4
Categories, Contacts, and the Chart of Accounts
This chapter is built from the code, so it shows what the app does today, not what you may want it to mean. In the workspace shell, Statements is the default entry point and the same navigation exposes Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings.
OpenClose
Chapter 4
Categories, Contacts, and the Chart of Accounts
This chapter is built from the code, so it shows what the app does today, not what you may want it to mean. In the workspace shell, Statements is the default entry point and the same navigation exposes Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings.
One-Minute Snapshot
This chapter is built from the code, so it shows what the app does today, not what you may want it to mean. In the workspace shell, Statements is the default entry point and the same navigation exposes Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings. The bookkeeping controls here are shared: changing categories, contacts, or reconciliation state changes the transaction ledger the rest of the product reads from. That is why this chapter focuses on control, not decoration: these edits decide whether the numbers stay trustworthy.
What You Should Be Able To Explain
- Explain that categories, contacts, and the chart of accounts are shared bookkeeping controls, not isolated labels on one screen.
- Explain which bookkeeping actions change the ledger directly and which roles can do them.
- Explain how reconciliation completion, reopen, and transaction edits affect report output.
- Decide whether the current edit and reopen rules are strict enough for the trust you want.
How to Think About the Controls
One control layer, not separate corners
Think of the bookkeeping area as one shared control layer in the workspace. The shell does not hide bookkeeping behind a settings-only corner: Statements is the default landing surface, and the same navigation path also exposes Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings. That layout matters because it tells you what the product believes these areas are for. They are not isolated tools that happen to sit next to each other. They are the working surfaces that shape, read, and govern the same accounting record.
The practical consequence for an owner is that the bookkeeping flow has a single center of gravity. If a category changes, if a contact is corrected, or if the chart of accounts is adjusted, that is not only a visual cleanup on one page. It changes the meaning of the underlying record that other parts of the workspace will later read. The chapter on transaction handling explains the edit mechanics and role gates; here, the important mental model is simpler: these controls are shared structure, so a change in one place is not local to that one screen.
Meaning travels with the record
Categories and contacts matter because they carry accounting meaning, not just presentation. A category tells the product how to interpret a transaction for bookkeeping purposes. A contact ties the transaction to a person or business relationship that can be reused across the workflow. When those shared records are correct, the product can present a transaction as something stable and intelligible instead of as a raw line item with missing context. When they are wrong, the problem is not cosmetic. The record itself becomes less trustworthy, and every downstream view that depends on it inherits that weakness.
The same is true of the chart of accounts. It is part of the product’s explicit accounting structure, so it is best understood as the vocabulary the workspace uses to sort financial activity into the right buckets. That vocabulary does not live on one page only. It is the structure that lets the rest of the bookkeeping layer speak consistently about the same transaction over time.
Why reports and transactions must agree
The owner should read Transactions and Reports as two views over the same underlying bookkeeping state, not as two separate systems with their own version of the truth. The transaction page reads from the reconciled transaction set, and the report views are built from that same set with the chosen date or fiscal window applied. That means a change to shared bookkeeping structure does not stay confined to the editing surface. It shows up wherever the workspace reuses the same record.
A concrete example: if a transaction is recategorized, the immediate effect is not only that the transaction looks different in the transaction list. The category change can also alter what later report views count, because those views are reading from the same source record. This is why governance over shared controls matters. You are not deciding whether a label looks neat; you are deciding whether the bookkeeping record remains consistent enough for reports, reconciliation history, and AI-assisted answers to mean the same thing when they read it later.
The boundary is worth keeping clear. This section is about the mental model of the control layer, not the step-by-step edit flow or permission matrix. The point is that the workspace has one shared bookkeeping spine, and categories, contacts, and the chart of accounts are the structure that makes that spine usable.
Statements, Transactions, Contacts, Chart of Accounts, and Reports all connect to the same bookkeeping record. A change made in any of the control surfaces flows into that shared record, and Reports reads back from it. The consequence is that edits are not local to one page; they can change later reporting and review views.
What Changes, Who Can Change It, and When
The practical split here is between ordinary ledger edits, reconciliation finalization, and reversal. The system lets some roles change bookkeeping records in place, but it keeps reopening much narrower because reopening undoes a completed state instead of simply correcting a line.
Who Can Act
The permission boundary is easiest to see in a single matrix. Editing transactions and completing reconciliations are available to active members and admins, while reopening a locked reconciliation stays with owner and admin roles. Viewers have no write path.
| Role | Edit transactions | Complete reconciliations | Reopen locked reconciliations |
|---|---|---|---|
| Owner | Yes | Yes | Yes |
| Admin | Yes | Yes | Yes |
| Active member | Yes | Yes | No |
| Viewer | No | No | No |
That split matters because it is an action gate, not a cosmetic label. Two people can look at the same bookkeeping record and still have different options depending on role. For the owner, the consequence is that ordinary correction work does not require full reversal rights, but the right to reopen a locked reconciliation remains reserved for the stronger roles.
Direct Ledger Edits
Transaction edits write back to the same reconciled transaction records that the product uses for downstream work. They are not edits to a shadow copy or a temporary review layer. When a member or admin changes a category, the change lands on the live bookkeeping record. When they adjust a matched-document link, that link changes in place as well. The owner should read that as a direct control over the meaning of the transaction, not just its presentation.
The consequence is immediate. If a charge was categorized as travel and later corrected to software, the corrected category is now the shared record other parts of the product see. That is useful because it keeps the bookkeeping state consistent, but it also means a mistaken edit is not isolated to one screen. The boundary the evidence establishes is specific: the reviewed transaction path clearly updates category and matched-document fields in place. It does not establish every editable field or every possible bulk-edit pattern beyond that.
Finalizing Reconciliation
Completion is stricter than editing. A reconciliation only completes when unresolved items are cleared and the required fields are present. In the reviewed completion path, that means category, date, and payee information are expected before the record can be finalized. There is one important qualifier: the newer completion path can allow a missing payee and still create the final transaction records and contacts. The evidence does not show that every completion path is equally permissive; it shows an alternate path that relaxes payee presence while still producing durable bookkeeping data.
For the owner, that is the line between review work and accounting truth. If the reconciliation is not valid enough, it stays open. If it is valid enough, the product turns it into final transaction records, and the contacts record can be created or revived as part of that closeout. A concrete example helps: if a statement line has a clear amount, date, and category, but the payee was not captured, the newer completion path can still finish the reconciliation instead of forcing the work to stop at a missing name.
Reopening Locked Work
Reopening is the reverse of finalization, so it is narrower than ordinary editing. The reviewed interface only offers reopen for locked reconciliations, and the privileged path is limited to owner and admin roles. That means a viewer cannot reopen anything, and an active member cannot undo a locked closeout even if they were allowed to complete it earlier.
This separation is important because reopening changes the trust level of the bookkeeping record. A completed reconciliation is meant to behave like durable accounting data until someone with stronger authority decides it should be reviewed again. The boundary is also clear: the evidence covers locked reconciliations. It does not say that every other state exposes the same reversal control.
Reports Follow The Same Record
Report views read from the same transaction ledger and then apply the selected date or fiscal window. The practical effect is that a control change in transactions or reconciliation can show up in more than one report tab without any separate reporting edit. The report set includes Transactions, Profit & Loss, Balance Sheet, Spending, General Ledger, and Trial Balance, so a single correction can surface across several different views of the same underlying records.
That matters because the reports are not independent bookkeeping copies. If a correction changes the ledger, the report numbers for the matching window move with it. For example, if a March transaction is re-categorized and the report is set to March, the Spending view and the profit-and-loss view can both reflect the new categorization. The boundary is the window: changing the selected period changes what you are looking at, but it does not create a separate version of the bookkeeping record.
Active members and admins can edit transactions and complete reconciliations. Owner and admin can also reopen locked work. Viewers have no write path. The consequence is that ordinary corrections are available to working roles, but undoing finalized work stays behind a stricter boundary.
A member or admin finishes the reconciliation, and the workflow first checks that unresolved items and required fields are cleared. If validation passes, it writes final transaction records, can create or revive contacts, and returns to the statement detail view. Reports then read the same reconciled ledger and apply the selected window. If validation fails, the reconciliation stays open. The consequence is that completion is the point where review work becomes durable bookkeeping data.
What the Reviewed Evidence Proves
The workspace opens in Statements
The reviewed evidence proves that the web workspace shell lands in Statements by default and presents Dashboard, Statements, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings in the same navigation area. That matters because Statements is not a hidden back office screen; it is the normal starting point for the bookkeeping workspace, and the other bookkeeping surfaces are already sitting beside it, not behind a separate admin area.
A practical way to read this is that an owner who opens the workspace should expect to begin from statement work and then move directly to transactions, reports, contacts, or the chart of accounts without changing product context. The evidence does not establish the full visual design of the shell or every possible navigation state, but it does establish the default landing point and the set of sections the shell exposes today.
Transactions are filterable ledger views
The Transactions page is shown as a view over the finalized transaction ledger, and the reviewed evidence proves that it supports search, tab filtering, and date filtering. That combination is important because it means the page is not just a static list of posted items; it is an operational surface for narrowing the ledger to the exact slice an owner or operator needs to inspect.
The consequence is straightforward: if a transaction is being looked up by payee, category, or timing, the page gives a direct way to reduce the visible set before editing or reviewing. The evidence stops short of proving every possible filter combination or sort behavior, so the safe reading is limited to the filters that were actually observed. Even with that boundary, the underlying point is strong: the Transactions page is meant to help people work against the live ledger, not a separate copy.
Reports cover the main accounting views
The report page is verified to include Transactions, Profit & Loss, Balance Sheet, Spending, General Ledger, and Trial Balance views. That is a broad spread of bookkeeping outputs, and it shows that the product is not treating reports as a single summary screen. Instead, it exposes multiple accounting lenses that answer different questions from the same bookkeeping base.
For an owner, the important consequence is that the page can support both operational checking and formal financial review. A Spending view may help spot where money is going, while General Ledger and Trial Balance are more structural accounting views. The evidence does not say how much each tab can be customized beyond the date or fiscal window controls that are known elsewhere in the reviewed set, so this section stays with the fact that these views exist and are part of the same report surface.
Completing reconciliation can move work into final records
The evidence also proves a specific end-of-flow behavior: when review work is completed, the process can return the reader to the statement detail view after turning that work into final transaction records. In that same completion step, contacts may be created or revived. That means reconciliation is not only about marking a statement done; it is a point where provisional review work becomes durable bookkeeping data.
This matters because it shows the product can repair or restore contact records as part of finalization instead of leaving them stranded in a half-finished state. A concrete example is a statement line that was matched and completed with a payee that had previously gone missing from the active contact list: the completion flow can still materialize the final transaction and bring the contact back into play. The evidence does not prove every possible reconciliation outcome or every reason a contact might change, but it does prove that finalizing review can produce final transactions and affect contacts before the interface returns to the statement detail screen.
What Is Solid Here
Visible, not buried
The strongest sign here is not a single rule, but that bookkeeping controls are not tucked away in a settings-only corner. The workspace opens in Statements and keeps Transactions, Reports, AI Bookkeeper, Contacts, and Chart of Accounts in the main shell, so the owner encounters the control layer where bookkeeping work already happens. That makes categories, contacts, and account structure feel like part of daily bookkeeping, not like a separate administrative world. The boundary still matters: visibility does not make every change safe or unconstrained. It means the product presents shared bookkeeping control as core workspace furniture, which is the right shape for trust.
One ledger, coherent outputs
The other solid property is that the same reconciled transaction ledger sits underneath both editing and reporting. When a transaction edit changes category or matched-document details, it is changing the record that reports later read. The report views then render against that same ledger within the selected date or fiscal window, so the owner does not have to mentally reconcile two different data stores or wonder why a corrected transaction would not show up downstream. In practice, that coherence makes the product easier to trust: one correction can move through the system instead of being trapped in a local screen. The qualifier is important: this only holds because the edit path and the reporting path share the same underlying record set. It does not mean every report view is identical, only that they are reading from the same bookkeeping source.
Strongest changes stay gated
What makes the layer feel trustworthy is that the most consequential changes are not open-ended. Transaction writes are role-checked for active members and admins, reconciliation completion will not finalize until the workspace is in a valid state, and reopening a locked reconciliation is limited to owner and admin roles. Those gates matter because they separate ordinary review from changes that can alter the durable accounting record. A member can correct a transaction while the record is still live, but a reconciliation cannot be marked complete until the required items are resolved, and a locked record cannot be reopened by just anyone. For the owner, that is the difference between a bookkeeping tool that merely displays controls and one that actually protects the ledger from casual drift.
What that means in practice
Imagine a member fixing a miscategorized card charge after a reconciliation review. The edit is allowed only because the role is permitted to write, and once it lands, the change is part of the same transaction ledger that feeds reports. If the reconciliation is not yet clean enough, completion still stops at the gate instead of producing a false sense of finality. If the reconciliation was already locked, only the privileged roles can reopen it. That combination is strong because it keeps the system coherent at the center and conservative at the edges: edits can flow through, but only through paths that are explicitly constrained.
Attention Cards
Owner Decisions
Evidence Boundary
Evidence boundary
Reviewed
- The workspace shell navigation and the sections it exposes.
- The role-checked paths for editing transactions, completing reconciliations, reopening locked reconciliations, and reading reports.
Not reviewed
- The exact source files, database objects, and low-level implementation details.
- The exact screens for maintaining categories and contacts beyond what the reviewed knowledge proves.
- Mobile companion behavior, external integrations, and draft or backlog documentation.
If any bookkeeping control, role gate, or report view changes, recheck the workspace shell, the transaction and reconciliation flows, and the report tabs together before revising this chapter.
Chapter 5
Reports and the AI Bookkeeper
Use this chapter when you want to know which numbers the app is actually showing you. The Reports area reads from the same reconciled ledger that the Transactions page edits, so a transaction change or a completed reconciliation can move the numbers you see.
OpenClose
Chapter 5
Reports and the AI Bookkeeper
Use this chapter when you want to know which numbers the app is actually showing you. The Reports area reads from the same reconciled ledger that the Transactions page edits, so a transaction change or a completed reconciliation can move the numbers you see.
One-Minute Snapshot
Use this chapter when you want to know which numbers the app is actually showing you. The Reports area reads from the same reconciled ledger that the Transactions page edits, so a transaction change or a completed reconciliation can move the numbers you see. The workspace menu also shows AI Bookkeeper, but the reviewed evidence only proves that label exists in navigation; it does not yet prove the full question-and-answer flow behind it. This chapter is built from the reviewed code, so it tells you what the app does today, not what you mean it to be.
What You Should Be Able To Explain
- Explain that reports are downstream reads from the same bookkeeping ledger that Transactions updates.
- Name the report views the app exposes and the windowing that shapes them.
- Tell when report numbers can move because of transaction edits or reconciliation completion.
- State what is and is not verified about the AI Bookkeeper entry in this evidence set.
Treat reports as the readout of completed bookkeeping
Reports are the readout, not a second system
Treat Reports as the surface that reads completed bookkeeping back to you. The important mental model is that the app is not keeping one set of numbers for Transactions and a separate, independent set for Reports. Reports sit downstream of the same reconciled bookkeeping base, so they are best understood as a readout layer: they show what the current bookkeeping state says, rather than inventing their own version of the truth.
That matters for ownership because it changes how you explain a surprise. If a report looks wrong, the first question is not “which report is broken?” It is “what changed in the bookkeeping that the report is reading?” In practice, that means the report page is not a place where numbers are manually curated away from the rest of the product. It is the place where completed bookkeeping becomes visible in summary form.
When the numbers move
The numbers in Reports move when the underlying bookkeeping moves. Transaction edits land back into the same records that Reports reads, so a change to a transaction can change what appears in a report without any separate report editing step. Reconciliation completion does the same kind of work at a different moment in the workflow: once bookkeeping is completed, the report base changes with it.
For an owner, the consequence is simple but important. A report is trustworthy only to the extent that the bookkeeping beneath it is current. If a category changes, a transaction is corrected, or a reconciliation is finished, the report output can shift because it is reflecting the updated bookkeeping state. The boundary is equally important: Reports do not prove that the underlying work was right, only that they are faithfully reading the current completed records.
A concrete example makes this easier to hold onto. Suppose a transaction was initially categorized as travel, then later corrected to software. The report does not need a special refresh rule or a separate approval path to notice that change; it will show the effect because it is reading the same bookkeeping base. Likewise, if a reconciliation is completed after a period of review, the reports that depend on those records can change immediately because the bookkeeping has moved from provisional to completed.
Why AI Bookkeeper belongs in the same story
The workspace shell places AI Bookkeeper beside Reports in the same navigation. That does not prove they do the same thing, and this evidence does not establish the full question-and-answer flow behind AI Bookkeeper. It does show something more basic and useful for the owner: the app is presenting both as part of one bookkeeping story, not as unrelated features.
That framing is the right way to read the workspace. Reports are where completed bookkeeping shows up as financial output. AI Bookkeeper is another reading surface in the same workspace, so it should be judged against the same upstream discipline: the quality of the imported, categorized, and reconciled bookkeeping underneath it. If those upstream records are incomplete or still changing, both surfaces need to be treated with the same caution. If the records are complete, both become more useful because they are drawing from the same governed source of truth.
Transactions edits and completed reconciliations both feed the same reconciled ledger. Reports read from that ledger, so a change in bookkeeping can change the numbers the owner sees. The consequence is that report movement usually points upstream to bookkeeping, not to a separate reporting system.
How report numbers move
Reports are not frozen summaries. The page reads the same reconciled bookkeeping base that the Transactions area updates, then it applies the current reporting window before it shows or exports the result. That means two things can legitimately change what an owner sees: the underlying bookkeeping record can change, or the selected reporting window can change. The report pages are therefore best understood as a live view over completed bookkeeping, not as a separate place where numbers are edited by hand.
The window matters first
When the report page is opened, it uses the active fiscal-year or date window for the view that is on screen, and that same window is used when the view is exported. This is not a cosmetic filter layered on after the fact. It determines which reconciled transactions are included in the report output in the first place. If the owner switches from a year view to a narrower date range, the totals can move even if no bookkeeping record changed at all.
| Where it happens | What changes | What it does to reports |
|---|---|---|
| Transactions page | A transaction is edited | Reports read the updated bookkeeping row, so totals and groupings can change the next time the report is viewed or exported. |
| Reconciliation completion | A reconciliation is completed and validated | The reviewed bookkeeping becomes durable data for the rest of the product, so reports can rely on it as a settled record. |
| Reports page | The active fiscal-year or date window changes | The report output narrows or expands to match the chosen period, changing which transactions are counted. |
Transaction edits flow through the same ledger
An edit made on the Transactions page lands in the same reconciled ledger that Reports reads. There is no separate reporting copy that has to be refreshed later. If a member or admin changes a transaction category or another matched-document field, the report view is looking at the same record set after that change. For the owner, that means a correction made in bookkeeping is supposed to be visible in reports as soon as the report is recalculated around the updated ledger. It also means report differences are not automatically a reporting bug; they may simply reflect a real bookkeeping edit upstream.
A practical example helps. Suppose June spending looks too high because one transaction was categorized incorrectly. Once that transaction is edited on the Transactions page, the next spending report for June should reflect the corrected category instead of preserving the earlier mistake. The report is not preserving history for its own sake; it is showing the current bookkeeping state for the chosen period.
Completion is the trust gate
Completing a reconciliation is the point where reviewed bookkeeping turns into durable data that the rest of the product can trust. The completion step does more than mark a page finished. It validates that the reconciliation is ready to stand as accounting data, then materializes the transaction records that downstream views depend on. That is why the completed state matters to reports: it is the step that turns checked work into a stable base for later reads.
The boundary is important. Before completion, a reconciliation can still be in progress and may still be changing. Reports can only be as reliable as the state below them, so an owner should expect report confidence to rise only after the reconciliation is finalized. In other words, reports do not certify the bookkeeping for you; they reflect the certification that happened upstream. If a reconciliation is reopened later, the underlying record can change again, and report numbers can move with it.
The same reconciled ledger can produce different report numbers when the active window changes. One path uses the year window and the other uses a narrower date window, and each one leads to a different report result before display or export. The consequence is that the selected period can change the answer even when the underlying bookkeeping has not changed.
What the reviewed evidence establishes
Workspace shell
The reviewed evidence establishes the main workspace navigation with Dashboard, Statements, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings. It also establishes the default landing behavior: when the workspace opens, it goes to Statements rather than to Reports or another surface. For an owner, that means the workspace is organized around bookkeeping from the first screen, with Statements as the entry point and the other sections available from the same shell.
A concrete example makes the consequence plain: if someone opens a fresh workspace, they do not start in Reports and then hunt for where the ledger lives. They arrive in Statements first, and Reports is one of the peer sections in the same navigation set. The evidence here stops at that navigation fact. It proves that AI Bookkeeper appears in the shell; it does not, by itself, prove the full question-and-answer behavior behind that label.
Report views
The Reports area exposes six named views: Transactions, Profit & Loss, Balance Sheet, Spending, General Ledger, and Trial Balance. The reviewed evidence also establishes that these views are not free-standing summaries pulled from somewhere else. They are built from the reconciled transaction set and then shaped by the active fiscal-year or date window before display or export.
For the owner, the practical boundary is that each report view is a readout of the same bookkeeping base, filtered for a reporting window. If the window changes, the numbers can change even when the underlying bookkeeping has not. If the bookkeeping changes, the report output can change even when the window does not. The evidence is specific about the available views and the windowing behavior; it does not claim any additional report family beyond the six named here.
Transaction edits
Transactions edits write directly back to the reconciled ledger. The reviewed evidence says the Transactions page reads from that reconciled transaction set, and bulk edits update category or matched-document fields on the same underlying records. Access to those writes is restricted by role: active workspace members or admins can make them, while the rules do not extend that write path to viewers.
That matters because the owner should not think of Transactions as a separate staging area. An edit made there is a bookkeeping change, not a copy-only annotation. If a member corrects the category on a transaction, that change is applied to the ledger the reports depend on, so the effect can show up downstream. The evidence is careful here: it establishes the write path and the role boundary, but not a broader claim about every possible transaction field or every UI action in the product.
Reconciliation completion
Completing a reconciliation is the point where reviewed bookkeeping becomes durable data. The reviewed evidence establishes that completion requires validation first: the workspace authority must be adequate, unresolved items must be cleared, and required fields must be present before the reconciliation can finish. Once that happens, the completion step materializes transaction IDs, which is the product-level sign that the review has become a fixed bookkeeping record.
The same completion step can also create or revive contacts when validation passes. That means reconciliation is not only a finishing stamp on the statement; it can also leave behind normalized bookkeeping objects that other parts of the product can use. A simple scenario shows why this matters: if a statement line had no durable transaction record yet, completing the reconciliation turns it into one, and if the contact was missing or previously inactive, the completion step can restore it as part of that finalization. The evidence does not go beyond those conditions, so it should not be read as a promise that every reconciliation will always create contacts or that completion can bypass validation.
The reviewed shell evidence shows the workspace shell and the AI Bookkeeper label in navigation. That lets us verify the label exists beside Reports. It does not verify the full question-and-answer flow behind the label, so the manual must keep that boundary explicit.
What is solid here
Core reports in one place
The strongest thing about this surface is simple coverage. The report area already brings together the views an owner is most likely to use when checking the books: Transactions, Profit & Loss, Balance Sheet, Spending, General Ledger, and Trial Balance. That matters because it gives the owner one place to answer different kinds of bookkeeping questions without jumping across unrelated screens. A quick example is enough to show the value: if the owner wants to compare a spending trend against the balance position, both are already in the same reporting family instead of being split across separate tools.
One ledger, one story
The second strength is consistency. The Transactions page and the Reports area are not drawing from separate copies of the books; they are both anchored to the same reconciled transaction set. That means a correction made in the transaction workflow is part of the same accounting story that the reports read back. For the owner, this reduces the chance of seeing one version of the numbers in editing and a different version in reporting, which is one of the fastest ways trust gets lost in financial software. The boundary is still important: this gives internal consistency, not proof that every number is perfect in the real world. It is only as solid as the underlying bookkeeping work that has been completed.
Easy to find
The workspace shell also does useful work here. Reports and AI Bookkeeper sit alongside the rest of the main bookkeeping navigation, and the workspace opens in Statements by default, which keeps the bookkeeping area obvious rather than hidden behind a separate product entry point. For an owner, that means the path from active bookkeeping work to reporting and AI-assisted reading is short and predictable. In practice, a member can be working in transactions and the owner can still find Reports or AI Bookkeeper immediately from the same shell. That discoverability is valuable even before you decide how much you trust the AI surface itself, because the navigation proves the product intends these functions to live in the same bookkeeping environment.
Attention Cards
Owner Decisions
Evidence Boundary
Evidence boundary
Reviewed
- The workspace shell navigation that lists Reports and AI Bookkeeper.
- The Transactions page write path and the reconciliation completion flow.
- The Reports page read path and its date/fiscal-year window behavior.
Not reviewed
- The full AI Bookkeeper question-and-answer flow.
- Any model internals, prompts, or analytics pipeline behind AI responses.
- Any reporting formulas beyond the ledger source and active window behavior.
Re-check the Reports page, the Transactions page, and the AI Bookkeeper entry whenever the report tab list, ledger source, or AI access rules change. If the product later exposes a real AI Bookkeeper query flow, verify that flow directly before expanding this chapter beyond the named surface.
Chapter 6
Running the Workspace
This chapter covers the support layer around bookkeeping: the workspace shell, who can change it, and which limits can stop work before it starts. In the reviewed behavior, the workspace opens on Statements first and then shows Dashboard, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings; the workspace owner/admin/member/viewer split decides who can invite people...
OpenClose
Chapter 6
Running the Workspace
This chapter covers the support layer around bookkeeping: the workspace shell, who can change it, and which limits can stop work before it starts. In the reviewed behavior, the workspace opens on Statements first and then shows Dashboard, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings; the workspace owner/admin/member/viewer split decides who can invite people...
One-Minute Snapshot
This chapter covers the support layer around bookkeeping: the workspace shell, who can change it, and which limits can stop work before it starts. In the reviewed behavior, the workspace opens on Statements first and then shows Dashboard, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings; the workspace owner/admin/member/viewer split decides who can invite people, edit settings, or touch integrations. Billing limits and the Xero boundary sit at the edge: they can stop a new workspace from being created or leave an integration visible in backend behavior even when the UI has disabled it. This is built from the code, so it shows what your product does today, not what you mean it to be - that part is yours to confirm.
The diagram shows the workspace shell leading to Statements first, and from there to Dashboard, Expenses and transactions, Reports and AI help, and Contacts, accounts, and settings. The consequence is that the owner should expect Statements to be the starting point and the other surfaces to sit around it.
What You Should Be Able To Explain
- Explain why Statements is the default entry into the workspace and what sits around it.
- Describe the difference between workspace owner, admin, member, and viewer without flattening the roles.
- Tell which actions are enforced in the client, which depend on backend policy, and which use separate invite or integration paths.
- Recognize when billing limits or a disabled integration can still affect the workspace.
The Workspace Is the Control Layer
A container, not a dashboard
Think of the workspace as the control layer that holds the bookkeeping world together. It is where the product keeps the active bookkeeping data, the people allowed to work in it, the settings that define how it is read, and the limits that can stop new work from starting. That is a different job from a generic admin dashboard. A dashboard usually just summarizes what already exists. The workspace here is more structural: it is the boundary around the work itself, and the rules around it shape what can happen next.
That framing matters because it keeps you from treating workspace administration as a side panel you can ignore. If the workspace is misconfigured, locked, or capped, the effect is not cosmetic. It changes whether the product can accept new work, whether someone can invite another person, or whether a connected service remains available at all. The manual should therefore read the workspace as an operating boundary around bookkeeping, not as a separate product from bookkeeping.
Statements comes first
The default path into the workspace is Statements. The rest of the navigation sits around that center: Dashboard, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings. The consequence for an owner is simple but important. The product is organized so that statements are the first thing you land on, while the other sections support the work that grows out of them.
That order is a signal about the product's center of gravity. Statements is the place where bookkeeping work begins, and the surrounding sections are the paths you take once that work needs review, categorization, reporting, or administration. A concrete example: if a member opens the workspace to continue month-end cleanup, they are not entering a settings console and then searching for the accounting work. They are entering the bookkeeping flow first, with settings and other sections available when the work requires them.
Roles draw the real boundary
The workspace role split is part of that control layer. Workspace owner and admin sit on one side of the boundary: they can govern the workspace. Member and viewer sit on the other side: they cannot. The exact shape of every action belongs in the permissions section, but the mental model is straightforward. The first pair is allowed to manage the workspace; the latter two are not the people who change membership, settings, or the workspace's operating rules.
The important practical consequence is that role labels are not decorative. They determine who can move the workspace forward when a change is needed. If a business owner expects a viewer to make configuration changes, that expectation will fail. If a member is meant only to do bookkeeping work inside the workspace, that narrower scope is intentional. This is why the manual should keep owner and admin distinct from member and viewer instead of flattening them into one broad notion of access.
Limits sit at the edge
Billing limits, trial state, and the Xero boundary should be treated as edge conditions, not as the product's identity. They matter because they can interrupt work, but they do not define what the product is. Workspace creation can be gated by billing state, and the first workspace can start a seven-day trial. That means the product has a support layer around entry and growth: it can allow the first workspace to boot into trial resources, while still enforcing workspace-count limits when the billing data is present.
That same pattern appears in the Xero boundary. The visible UI is disabled, but the backend path is still present behind checks. In practice, that means a connection can remain a live boundary even when the screen suggests it is off. For an owner, the lesson is not that Xero is the core of the workspace. It is that external integrations can still shape behavior at the edge, and a disabled screen does not always mean the underlying boundary has been removed.
A useful way to picture this is to imagine a new company setting up its first workspace. The trial starts automatically, the workspace appears under the normal bookkeeping navigation, and the team can begin work in Statements. If that company later hits a billing cap or encounters the Xero boundary, the workspace still remains the same workspace. What changes is whether a particular edge action is allowed, not the identity of the product itself.
Who Can Do What
The role boundary in this workspace is not mainly about what people can see. It shows up when they try to change the workspace itself, add or remove members, or cross into an external integration. The shell lets people move among workspaces from the same top-level surface, and it can also block creation of a new workspace when the account state does not allow it. That means switching is part of ordinary navigation, while creating a new workspace is a separately gated step.
Owner and admin sit on the same side of the operating line today. Member is narrower, and viewer has no operational access. The practical difference is what happens when someone tries to save settings, manage people, or touch an integration boundary. The table below shows the current split in the places that matter most to an owner.
| Role | Workspace settings writes | Member invitations and removals | Xero boundary |
|---|---|---|---|
| Owner and admin | Allowed | Allowed | Visible boundary remains available behind edit-right checks even while the tab is disabled |
| Member | Not allowed | Narrower operational access; invite and manage actions are blocked | No direct operational access |
| Viewer | Not allowed | No operational access | No direct operational access |
That boundary is enforced in two layers. For member management, the checks happen at the action level: the settings screen will block invite and manage actions when the role does not qualify, and the membership changes themselves travel through separate invite, accept, decline, and remove paths. An invite must be created first, then accepted or declined with the matching invite details, and removal is its own path. The remove path also refuses to remove the owner, so the top role cannot be stripped away through the ordinary member-removal flow.
Workspace settings behave differently from membership changes. A settings save goes straight to the workspace record on the server, and the server applies the admin-only update rule if the write reaches it. That is why owner and admin behave the same for workspace settings today, while member and viewer do not. For the owner, the consequence is simple: a visible settings form is not the same thing as write access, and the real guard lives at the action and server layers together.
Xero is the clearest example of a visible boundary that is still partially alive. The tab is disabled in the UI, so the workspace does not present Xero as an active in-app path. Even so, backend authorization, callback, and disconnect paths still exist behind edit-right checks, which means the integration is not erased so much as hidden from ordinary navigation. For an owner, that matters because a disabled surface does not always mean the backend boundary has been removed; it can still hold state and still change if the checked paths are reached.
A concrete way to read this is to imagine three people in the same workspace. The owner can change workspace settings, invite a member, and manage the integration boundary. An admin can do the same. A member can work in the workspace but does not get the administrative controls, and a viewer can only observe. If the workspace is blocked from creating a new workspace, that is a separate account-level gate, not a signal that existing workspace switching has broken.
The diagram places owner and admin on the privileged side and member and viewer on the limited side. Owner and admin can reach invite and member changes, and they can attempt a workspace settings save that still goes through a server write check. Member and viewer are blocked from invite and member changes. The consequence is that role differences show up when someone tries to change the workspace, not just when they look at it.
What the Reviewed Behavior Confirms
Default entry and shell inventory
The workspace shell opens on Statements, not on a neutral overview. The reviewed workspace route sends the index view to Statements, and the shell presents Dashboard, Statements, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings around that landing point. For an owner, the practical effect is simple: the product does not make you choose a home screen before you start working. It gives Statements the first position and treats the other sections as the surrounding workspace surfaces.
Creation is stateful
Workspace creation is not one universal yes or no. The first workspace starts a seven-day trial and bootstraps the trial resources that go with it. After that, the quantity cap only comes into play when the billing account actually has a workspace quantity value; if that value is missing, creation does not stop on that basis. Separate account states still block creation outright: a locked account cannot create, and a trial user who already owns an active workspace is also blocked.
The table below keeps those states separate because the product treats them differently even when they all show up at the same creation step. It shows where creation is a bootstrap event, where a billing limit is merely available to be enforced, and where the action is blocked before the workspace is inserted.
| Account or billing state | Starts the 7-day trial | Workspace-quantity cap enforced | Creation blocked |
|---|---|---|---|
| First-ever workspace | Yes | No | No |
| Later creation, billing quantity present | No | Yes | Only if the cap is exceeded |
| Later creation, billing quantity missing | No | No | No |
| Locked account | No | No | Yes |
| Trial user who already owns an active workspace | No | No | Yes |
The important reading is that the first workspace is a bootstrap event, not just another create action. It gets the trial started. Later creation is governed by billing quantity only when that quantity is present, so missing billing data does not automatically stop a workspace from being created. That is the narrow boundary the review establishes: quota enforcement exists, but a missing quantity does not become an automatic veto. In practice, that means a billing-data gap can fail open instead of turning into a hard stop, while locked and already-active trial states still fail closed.
Settings and integration boundary
Workspace Settings can change the workspace name, currency, timezone, date format, and fiscal-year fields. Those fields matter because they shape the bookkeeping workspace itself rather than changing one transaction at a time. The final write is still subject to an admin-only backend rule, so the visible form is not the same thing as a guaranteed write. If the request reaches the server, the server-side policy decides whether the change lands.
Xero sits at a different edge. The integration tab is disabled in the UI, so the product does not present Xero as an active visible path. Even so, authorization, token exchange, and disconnect handlers still exist behind backend checks. The reviewed evidence does not prove whether the disabled tab is temporary or permanent; it only confirms that the visible surface and the backend path are not the same thing.
A concrete case makes the boundary easier to read. If an owner opens Workspace Settings and changes the currency and fiscal year, the form exposes those fields, but the save still depends on the admin-only server rule. If the same owner looks for Xero in the shell, the tab is disabled, yet the backend integration logic has not disappeared. The owner should therefore treat the shell as the front edge of the workspace and the server policy as the real gate for what actually changes.
The comparison shows four cases. The first-ever workspace starts trial resources. Later creation with billing data goes through a cap check before it may proceed. Later creation without billing data may still proceed because the missing quantity does not block it. Locked accounts and trial users who already own an active workspace are blocked. The consequence is that creation is not governed by one single rule; it depends on which state the account is in.
Where This Part Is Solid
A stable front door
The strongest thing about the workspace shell is that it does not make the owner hunt for the work. It opens in Statements by default and keeps the rest of the bookkeeping areas in one predictable navigation set: Dashboard, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings. That matters because the workspace is not behaving like a loose collection of pages; it is acting like a controlled entry point with a clear center of gravity. If someone comes back after a break, they land in the same place the manual expects them to start, and they can move outward from there instead of guessing which screen is authoritative.
The boundary here is important. This strength is not that every workspace task is exposed at once, or that the shell solves bookkeeping itself. It is that the product gives the owner a stable operating frame. That reduces friction for training, support, and day-to-day use, because the surface area is organized around the bookkeeping flow rather than around account administration for its own sake. A support person can tell a customer, "Open the workspace and start from Statements," and that instruction maps cleanly to the product as reviewed.
Membership has visible stages
Membership control is also solid because it is not hidden behind a single vague "add person" action. Invitation, acceptance, decline, and removal are separate paths, and that separation makes the boundary legible. An invite is created first, then sent out; the recipient either accepts or declines using the matching invitation; removal is handled through its own path; and the owner seat cannot be removed. For the owner, that means membership is treated as a lifecycle with checkpoints, not as an informal toggle that could silently reshape access.
That structure matters operationally. If a collaborator never joined, the invite can fail before it becomes a live membership. If someone is invited but does not respond, the workspace still has a record of the pending boundary. If a member leaves, removal is distinct from invitation and distinct from acceptance. A concrete example: you can invite a bookkeeper to help during month-end close, they can accept when ready, and if they later step away, the workspace can remove that membership without threatening the owner position or making the change look like a general settings edit. The review confirms those separate paths, but it does not claim the whole membership policy universe is exposed here; it only establishes that the important boundaries are visible.
Disabled is not the same as gone
The reviewed behavior is also strong at showing when something is constrained versus removed. Workspace creation is guarded by account and billing conditions, so the product can stop a new workspace from being created without pretending the feature does not exist. The Xero area shows the same kind of clarity: the visible web tab is disabled, yet the integration boundary still exists through guarded workspace actions. That gives the owner a useful distinction. A feature can be unavailable in the interface, blocked by account state, or still present as a live integration boundary even if the normal screen is turned off.
This distinction matters because it changes how the owner should read a limitation. If creation is blocked, the issue is about account status or workspace limits. If Xero is disabled in the UI, the feature is not necessarily deleted; it may be intentionally hidden while some protected integration path still exists. In practice, that means the owner should not assume that every disabled control means permanent removal. It may simply mean the visible route is closed. The review supports that reading for Xero, but it does not establish why the feature is disabled or whether it is meant to return.
The role story stays honest
A final strength is restraint. The reviewed behavior keeps the workspace role story evidence-bound, which is exactly what a manual should do when owner intent has not been confirmed. It can say that workspace owner, admin, member, and viewer are distinct roles and that some actions are reserved, but it does not need to pretend that the current permission model is the final product philosophy. That keeps the manual from overclaiming.
For the owner, this honesty is not a weakness; it is what makes the rest of the chapter trustworthy. The manual can describe what is actually enforced, where a boundary is visible, and where the system still leaves room for change. When a behavior is clearly established, it is stated plainly. When the evidence stops short, the section stops short too. That is the right tradeoff for a workspace layer whose job is to support bookkeeping, not to invent a broader governance story than the product has confirmed.
The diagram shows a disabled Xero tab at the visible edge, then an editor gate behind it, then paths to start a connection or disconnect, and a return step that updates integration state. The consequence is that disabled does not mean removed; the boundary still exists behind the UI.
Attention Cards
Owner Decisions
Evidence Boundary
Evidence boundary
Reviewed
- The workspace shell and sidebar, role behavior, member invites and removals, Workspace Settings, workspace creation limits, and the visible Xero boundary.
- The reviewed knowledge supplied for this run, with no source-file inspection.
Not reviewed
- Source files, deployment settings, external provider internals, the full ingest/reconciliation and reporting chapters, and mobile capture or chat behavior beyond workspace-scoping context.
- Any owner intent that was not already captured in the supplied reviewed knowledge or open decisions.
Recheck the workspace shell, Settings screens, member-management flows, workspace creation path, and Xero tab whenever role rules, billing limits, or integration status change.
Chapter 7
Using the Mobile Companion
The mobile app is the on-the-go companion to the same bookkeeping product, not a separate product line. On mobile, you can capture receipts or bills, review documents, chat with AI, and switch workspaces, while the web workspace remains the place for statements, transactions, reports, and settings.
OpenClose
Chapter 7
Using the Mobile Companion
The mobile app is the on-the-go companion to the same bookkeeping product, not a separate product line. On mobile, you can capture receipts or bills, review documents, chat with AI, and switch workspaces, while the web workspace remains the place for statements, transactions, reports, and settings.
One-Minute Snapshot
The mobile app is the on-the-go companion to the same bookkeeping product, not a separate product line. On mobile, you can capture receipts or bills, review documents, chat with AI, and switch workspaces, while the web workspace remains the place for statements, transactions, reports, and settings. When mobile captures a file, it uploads first and then joins the shared extraction flow; when mobile chat is used, it spends workspace credits before it answers. This is built from the code, so it shows what your product does today, not what you mean it to be, and that part is yours to confirm.
What You Should Be Able To Explain
- Explain why mobile should be treated as a companion surface rather than a full replacement for the web workspace.
- Describe the mobile capture and document path in plain terms, including where upload and extraction happen.
- Explain the limits and cost boundary on mobile AI chat.
- Identify where workspace switching lives on mobile and when deeper bookkeeping work should move back to web.
How to Think About Mobile
One workspace, not a second product
Think of mobile as another surface on the same bookkeeping product, not as a separate account system or a trimmed-down sibling business. The important idea is continuity: the same workspace identity follows the work across phone and web, so what happens on mobile still belongs to the same bookkeeping space that holds statements, transactions, reports, and settings. That means the owner does not have to mentally translate between a “mobile account” and a “web account.” There is one workspace, and mobile is simply one way into it.
That matters because it changes how you judge work done on the phone. A receipt captured on mobile is not a side note to be reconciled later in some different system; it is part of the same workspace flow. Likewise, mobile chat is not a separate assistant with its own memory and rules. It is the same workspace-scoped AI story, just accessed from a portable surface. The boundary is that mobile does not establish a parallel bookkeeping home of its own. It inherits the workspace model rather than replacing it.
Built for motion, not for the whole desk
Mobile’s job is to keep bookkeeping moving when the owner is away from the desk. It is built for on-the-go capture, quick document review, AI chat, and workspace access. That is the useful mental model: mobile is where work starts cleanly, gets checked quickly, or gets answered in the moment, but it is not where the entire bookkeeping process is supposed to live.
This is why the mobile app is worth using even though it is not the full workspace. A phone is the right place to catch a bill or receipt before it is lost, to confirm that a document has reached the right workspace, or to ask a narrow question without waiting to sit down at the computer. In practice, that shortens the distance between seeing a document and getting it into the bookkeeping flow. The qualifier is important: mobile helps move work forward, but it does not pretend to be the full bookkeeping desk.
A simple example makes the split clear. A member can capture a receipt on the way out of a meeting, glance at the document on the phone, and ask the AI Bookkeeper a quick question about it. That is enough for motion. Later, when the owner wants the broader bookkeeping picture, they move to the web workspace to work through the statements, transactions, reports, and settings that define the fuller desk experience.
Read mobile as a handoff surface
The web workspace is still the place where the broader bookkeeping surface lives. Statements open there by default, and the deeper working areas are there as well: transactions, reports, and workspace settings. So the right way to read mobile is as a handoff surface, not a replacement surface. It receives work when the owner is away from the desk, but the main bookkeeping view still belongs to web.
That distinction protects expectations. If you treat mobile as a full replacement, you will ask it to do the wrong job and be disappointed by the result. If you treat it as a companion, the behavior makes sense: mobile is for capture, quick review, AI chat, and workspace switching when needed; web is for the broader bookkeeping work that needs more space and context. The owner-facing consequence is practical: mobile keeps the workflow alive, while web remains the place to finish and review the parts of bookkeeping that are meant to be read as a whole.
The figure shows one shared workspace splitting into two surfaces. Mobile is the smaller surface for capture, quick review, chat, and switching workspaces. Web is the broader surface for statements and deeper bookkeeping. The consequence is that mobile should be treated as a companion that hands work back to web, not as a replacement for the full workspace.
What Mobile Actually Does
The workspace gate comes first
Mobile does not start from a blank device state. It starts from the current workspace, because every path on the phone is tied back to that workspace identity before anything useful can happen. The app loads workspace memberships, picks an active workspace when one is needed, and keeps workspace switching inside Settings instead of turning it into a separate account model. For an owner, the consequence is practical: the phone is not a second bookkeeping system. It is a workspace-bound companion surface, and the active workspace determines which files can be captured, which documents can be checked, and which chat thread is allowed to run.
What each area actually does
| Mobile area | Workspace requirement | What happens next | Key guardrail or limit |
|---|---|---|---|
| Capture | Requires an active workspace | The file is uploaded first, then extraction is started for the chosen receipt or bill | It cannot skip the shared ingest path or become a local-only capture queue |
| Documents | Requires an active workspace | The file is uploaded first, then the app keeps polling job status for that workspace | Status comes from the shared extraction flow, not from a static device copy |
| AI Chat | Requires an active workspace and the current workspace and session identity | The server checks membership, archive or lock state, daily limits, per-session limits, and charges one chat credit before model work begins | Archived or locked workspaces are blocked, and a failed credit check stops the message before the answer is generated |
| Settings | Requires more than one available workspace before switching appears | The user switches workspaces inside Settings when multiple memberships exist | If only one workspace is available, the switcher does not appear |
The table shows the shared shape underneath the different screens. Capture and Documents are two faces of the same ingest route: the file leaves the device first, then extraction takes over. Documents is the more obviously status-driven path because it keeps polling after upload, but the important boundary is the same in both places: the mobile app is handing work into the workspace flow, not storing it in a separate phone-only queue.
AI Chat works differently from capture, but it is not free-floating either. The client sends the workspace and session identity together, and the server decides whether the message can proceed at all. That check is not just about being signed in. It also rejects archived or locked workspaces, applies daily and per-session limits, and deducts one chat credit before the model work starts. If credit cannot be deducted, the stored user message is removed rather than left behind as if the chat had succeeded. For an owner, that means the cost boundary is enforced before the answer is produced, not after the fact.
Workspace switching stays in Settings for a reason. On mobile, switching is a controlled action, not a constant background choice, and it only appears when the app can actually offer more than one workspace. That keeps the home surfaces simple while still letting a member move between workspaces when they have access to more than one. A practical example is a bookkeeper who opens Capture in the wrong client workspace, notices the mismatch, and switches inside Settings before uploading the receipt. The correction happens inside the same mobile companion, but the bookkeeping work still lands in the right workspace.
What matters overall is the division of labor. The mobile paths are separate jobs, but they all resolve into the shared workspace flow. That is why the phone can be useful on the move without pretending to replace the deeper bookkeeping surfaces on the web.
The figure starts with a receipt or bill on the phone, then moves through the active workspace, upload first, shared extraction, and finally the workspace document. It also shows that the file is not kept in a phone-only queue. The consequence is that mobile capture becomes workspace-scoped ingestion rather than local storage.
The figure shows a mobile chat message entering a workspace gate that checks membership, session state, and lock state. If those checks pass, the system runs a credit check. Only when credit is available does an answer get generated. If any check fails, the message stops. The consequence is that mobile chat is not free-floating; it is bounded by workspace access and shared credit spend.
What the Reviewed Evidence Confirms
The mobile surface is narrow and explicit
The reviewed mobile companion exposes five tabs and only five tabs: Home, Capture, Documents, AI Chat, and Settings. That matters because it fixes the shape of the on-device experience. The mobile app is not presenting a broad bookkeeping dashboard with every web surface squeezed onto a small screen; it is presenting a limited set of entry points that fit quick capture, document review, chat, and configuration.
The boundary is important as well. The evidence confirms these tabs, but it does not establish any broader mobile navigation. So the safe reading for an owner is simple: if a task is not reachable from those surfaces, it should not be assumed to exist on mobile just because it exists somewhere else in the product.
Workspace switching stays inside Settings
The mobile app loads the available workspaces, selects the first one automatically when needed, and only offers switching from Settings when more than one workspace is available. In practice, that means the app keeps the workspace decision inside a single place instead of scattering it across the interface. A person opening the app does not have to manage a separate mobile account model; they land in one active workspace and stay there until they deliberately change it in Settings.
For an owner, the consequence is operational clarity rather than feature breadth. If a member works across multiple client workspaces, the switch does not appear as a general navigation control on every screen. It appears only when the product has more than one workspace to choose from, and the switch itself lives inside Settings. That keeps the mobile surface focused on the current workspace rather than on workspace administration.
A concrete example: a member opens the app for the first time and the first available workspace becomes active without extra setup. If that member later needs a different workspace, they go to Settings and switch there. The evidence does not establish any other mobile entry point for workspace switching, so anything beyond that should be treated as unconfirmed.
The web workspace is the deeper home
The web workspace opens in Statements by default and exposes Dashboard, Statements, Expenses, Transactions, Reports, AI Bookkeeper, Contacts, Chart of Accounts, and Workspace Settings. That default matters because it shows where the product expects deeper bookkeeping work to begin. Mobile can get work into the system and keep a person oriented, but the web workspace is where the broader bookkeeping surfaces are laid out as the main navigation.
For the owner, this creates a clean division of labor. Mobile is the smaller, faster surface; web is the fuller working environment. If someone needs to move from capture or chat into broader statement review, transaction editing, reports, or workspace setup, the reviewed navigation points them back to web rather than trying to make mobile carry that entire load.
A practical scenario makes the boundary visible: a receipt is captured on the phone, but the next step is not to expect every downstream bookkeeping view on mobile. The supported handoff is to the web workspace, where Statements is the landing point and the rest of the bookkeeping sections are available. This section only confirms that handoff shape; the detailed statement and transaction workflow belongs elsewhere in the manual.
What Is Solid Here
Mobile is strongest where it draws a clean line and then stays inside it. The companion surface uses one workspace identity, one document capture path, and one AI credit rule, so the owner is not dealing with three different versions of the same product idea. That matters because the mobile app does not feel like a loose preview or a separate account system; it behaves like the same bookkeeping workspace viewed through a smaller, faster doorway. In practice, the app loads the user’s workspaces, chooses one as active, and keeps workspace switching inside Settings when there is more than one workspace available. That gives the owner a stable frame: when they move from phone to web, they are still operating in the same workspace, with the same bookkeeping boundaries.
The scope is also honest. Mobile is built for quick capture, document status, chat, and workspace access, not for pretending to reproduce the full web workspace on-device. That is a strength because it reduces false expectations. The app does not have to carry the entire statements, transactions, reports, and settings surface to be useful. Instead, it does the things that are most valuable when the owner is away from the desk: catch a receipt or bill, check whether a document has progressed, ask a question, or move to another workspace. A simple example makes the boundary clear: an owner can photograph a bill on the road, see that it has entered the document flow, ask AI a question tied to the current workspace, and then later return to the web workspace for deeper bookkeeping work. The mobile app stays useful precisely because it does not try to own the whole job.
The shared enforcement is what makes the behavior easy to reason about. Mobile capture does not create a private side queue; it sends the file into the same workspace capture flow used by the product’s broader ingest path, and the documents view watches that shared processing state. Mobile chat follows the same rule: it is tied to a workspace, refuses use outside an active member workspace, rejects archived or locked workspaces, applies daily and per-session limits, and consumes one chat credit before model work begins. That gives the owner a single mental model for what happens on mobile and what happens elsewhere in the product. If a document is captured on mobile, it is still workspace work. If AI answers on mobile, it still spends workspace credits. The boundary is not only cleaner for users; it also reduces ambiguity for the owner, because failures, limits, and credit use all land in the same workspace rules instead of branching into special mobile-only behavior.
The main qualifier is that this strength is about coherence, not completeness. The evidence shows a well-bounded companion surface, but not a full replacement for the web workspace. That is the right tradeoff for this chapter: mobile is solid because it keeps capture, chat, and workspace access aligned with the rest of the product, while leaving deeper bookkeeping work to the web side. For an owner, that is a practical design rather than a compromise hidden behind marketing language.
Attention Cards
Owner Decisions
Evidence Boundary
Evidence boundary
Reviewed
- The mobile tab structure and workspace-switching behavior.
- The shared upload-then-extract path for Capture and Documents.
- The mobile AI chat workspace, membership, lock, limit, and credit checks.
- The web workspace landing surface only as the handoff context for deeper work.
Not reviewed
- The rest of the web-only bookkeeping chapters in depth.
- External extraction and AI provider internals.
- Any owner intent that is not reflected in the reviewed knowledge items supplied here.
Re-check the mobile tab layout, workspace provider, capture and document upload flow, and chat credit rules if the app's navigation, workspace switching, or billing behavior changes.
Want this for your own repo?
Generate a free preview first. Unlock the full manual only if the evidence is useful enough to keep.
Generate your manual