Stood up the backend: a private Postgres schema, row-level security on every table, a scoped app role, and a CI check that fails the build if the anon or authenticated roles can touch business data. Point-in-time backups are now a hard requirement before any private beta. On top of that sits the first API surface — clients, projects, time entries, and a single /v1/me call that provisions a user and their org on first login.