Workspace isolation, role permissions, secure authentication, and activity logs — implemented in the current product, not a future promise.
Every record scoped to a workspace with middleware-enforced member checks.
Four workspace roles gate create, edit, delete, invite, and export actions.
Email OTP registration, Google OAuth, Sanctum API tokens, and rate-limited login.
TOTP two-factor challenge supported at login on web and mobile.
Mobile tokens stored with flutter_secure_storage; attachments use signed URLs.
Full workspace event history with role-scoped visibility and CSV export.
Every financial record belongs to exactly one workspace. A global database scope enforces isolation, and API middleware verifies membership on every request. Regression tests cover cross-workspace access attempts.
Four roles — Owner, Admin, Editor, Viewer — gate create, edit, delete, invite, and export actions. Activity logs capture CRUD events with IP address, user agent, and before/after property diffs. Owners and admins can export the full log as CSV.
Email registration with OTP verification, Google OAuth, rate-limited login, Sanctum API tokens, and OTP-based password reset. TOTP two-factor authentication is supported at login on web and mobile.
Mobile auth tokens stored with flutter_secure_storage. Receipt and document attachments served via time-limited signed URLs. Premium feature checks validate the workspace owner's subscription or verified in-app purchase.
