Security
Organization isolation
Every workspace surface is scoped by organization membership. Row-level security policies enforce isolation at the database.
Invite-only access
Users do not self-provision organizations. Platform admins create organizations; workspace admins invite members.
Per-application entitlement
Applications appear in a user's launcher only after their organization is entitled to them.
Auditable admin actions
Role grants, organization creation, and entitlement changes are recorded in an append-only audit log.