Security
Tenant isolation
The Supabase schema uses organization-scoped tables and Row Level Security policies for restaurant data.
Access control
V1 roles include owner, manager, server, kitchen and cashier. Product behavior can layer more permission checks on top.
Operational posture
Environment secrets stay outside the repo. Public pages are static or server-rendered and app routes are protected by middleware.