Expand description
Stage 4 auth + user/API-key administration.
/auth/login exchanges username+password for a bearer session token; /auth/logout revokes it;
/auth/me reports the caller. /users and /api-keys are admin-only management surfaces. All
mutations are written to the immutable audit log.