Finding: SD-AUTHZ-02 (MEDIUM) | Milestone: M-E2: Identity & Access (#16)
Problem: Any authenticated key can create and revoke other API keys.
Fix: Add role admin/operator/viewer to ApiKey. Key creation/revocation requires admin. Session operations require operator. Transcript/metric reads allow viewer.
Files: src/auth.ts, src/server.ts
Acceptance: An operator key cannot call POST /v1/auth/keys; returns 403.
Finding: SD-AUTHZ-02 (MEDIUM) | Milestone: M-E2: Identity & Access (#16)
Problem: Any authenticated key can create and revoke other API keys.
Fix: Add role admin/operator/viewer to ApiKey. Key creation/revocation requires admin. Session operations require operator. Transcript/metric reads allow viewer.
Files: src/auth.ts, src/server.ts
Acceptance: An operator key cannot call POST /v1/auth/keys; returns 403.