snapshot: preserve session hardening and account surface

backend/workflows/app_registry.py

@@ -8,6 +8,9 @@ from django.utils.translation import gettext_lazy as _
 from .models import PortalAppConfig
 from .roles import ROLE_ADMIN, ROLE_IT_STAFF, ROLE_LABELS, ROLE_PLATFORM_OWNER, ROLE_STAFF, ROLE_SUPER_ADMIN, get_user_role_key, user_has_capability
 
+# The registry controls discoverability and packaging posture for apps.
+# Actual authorization still comes from role capabilities in roles.py.
+
 
 @dataclass(frozen=True)
 class AppDefinition:
@@ -188,6 +191,8 @@ APP_DEFINITIONS: tuple[AppDefinition, ...] = (
 
 
 DEFAULT_ROLE_VISIBILITY = {
+    # These defaults are product recommendations for fresh deployments.
+    # Saved PortalAppConfig rows can override them per customer installation.
     'onboarding': {
         ROLE_SUPER_ADMIN: True,
         ROLE_ADMIN: True,