List the audit log (owner-only)
Every sensitive mutation (key issue/revoke, publish, secret provisioning, schedule create/delete, member add/role-change/remove), newest-first, cursor-paginated. Read-only — appended only by the handlers that perform those mutations.
承認
The dashboard's signed, HttpOnly session cookie (packages/service/src/auth.ts): base64url(payload).base64url(hmac-sha256), absolute 30-day lifetime, SameSite=Lax, Secure on any TLS deployment. Minted by POST /api/auth/signup or POST /api/auth/login (or, outside production, auto-provisioned by GET /api/session). Because it is HttpOnly, it cannot be read or attached by a browser-based API-reference "Try it" panel across origins — exercise these routes with a real logged-in browser session or a cookie-jar HTTP client.