## Problem Admin auth is a single shared `X-Admin-Token`. This is hard to rotate, hard to scope, and hard to audit per operator. ## Acceptance criteria - [ ] Replace with scoped admin tokens (stored hashed) or RBAC for admin users - [ ] Add audit log fields: admin identity, action, target, result - [ ] Add rate limiting already exists; ensure it cannot be bypassed - [ ] Document operational procedure for issuing/revoking admin access In production, this should validate against a proper admin role/permission system ## Priority P1 / High
Problem
Admin auth is a single shared
X-Admin-Token. This is hard to rotate, hard to scope, and hard to audit per operator.Acceptance criteria
In production, this should validate against a proper admin role/permission system
Priority
P1 / High