Row-level audit by default
AFTER INSERT, UPDATE, and DELETE triggers on every user table capture field-level before and after diffs together with the actor. The audit table is append-only, enforced by database privilege: tenant roles get SELECT and INSERT only.