Every privileged write is recorded with actor, organisation, table and before/after JSON. Row-Level Security is enforced on every table via is_org_member, is_org_admin and has_role. Roles live only in user_roles — never on profiles. Portal users are isolated and can never reach internal /app routes.