Initialize repo and add session changes (2025-09-08)

docs/prp/09-security-compliance.md

@@ -0,0 +1,8 @@
+# 09 — Security & Compliance
+
+- Roles: `super_admin`, `tenant_admin`, `member`; guest upload via signed tokens.
+- Policies: all tenant-owned models gated; Super Admin bypass via explicit ability.
+- Audit: record impersonation and destructive actions with actor, target, reason.
+- Logging: structured, no PII; add request/trace IDs; redact secrets.
+- GDPR: retention settings per tenant; deletion workflows; legal pages managed via CMS-like resource.
+- Rate limits: per-tenant, per-user, per-device; protect upload and admin mutations.