• Tenant context is resolved before session bootstrap in tenant portal flows.
• Cross-tenant reads and writes are blocked by claim/path checks and Firestore rules.
• Wrong-portal access attempts are denied with neutral messaging and security event logging.
• Role and entitlement checks are enforced in UI access and data mutation paths.

Last updated: February 19, 2026