Changelog

Admins on /admin/members can invite teammates with single-use links (10-minute TTL, hashed tokens, audited create/redeem/revoke).

Resend affordance for revoked/expired invites — old tokens stay terminal, a fresh row is minted.

Per-IP rate limits on invite creation (20/h) and redemption (30/h); 32-byte token secrets stored only as sha256 hashes.

Redemption error messages collapsed into a generic "invalid token" surface — no address-mismatch oracle.

Recursion in the `users_select_same_org` RLS policy broken by a SECURITY DEFINER helper. Latent until the Members page started issuing direct authenticated reads.

Dismissible onboarding checklist on the dashboard for fresh users: install, invite teammate, enable MFA, pair desktop (optional).

Replaced native `window.confirm()` in admin actions with a styled confirm dialog that captures an audited justification.

Members page no longer renders a misleading "Safe & secure" empty state to users who haven't yet recorded any events.

Org-role hierarchy expanded to owner / admin / security_admin / compliance_admin / viewer / member with permission gates per route.

Immutable admin audit log (`admin_audit_log`) writing for every state-mutating admin action.

Audit metadata is sanitised before write — emails, long opaque tokens, and card-shaped digit runs are masked.

Published the live sub-processor list at /sub-processors with a 30-day change-notification commitment.

Privacy Policy and Terms of Service tailored to the product (Personal tier free; Enterprise gated by a 7-day full-access trial).

Data Processing Agreement available under /dpa for Enterprise customers.