API key authentication, scope-based authorisation, rate limiting, and audit logging for all Skill API calls. References: PRD §5.3 ## Acceptance Criteria - [ ] Bearer token auth: `Authorization: Bearer <key>` - [ ] Keys generated per project with configurable scopes: containers:read, containers:write, databases:read, environments:write, skills:admin - [ ] Keys stored as hashed values; shown only once on creation - [ ] 403 returned when caller lacks required scope - [ ] Rate limit: 100 req/min per key by default; configurable per key by admins - [ ] Rate limit response headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset - [ ] Audit log per call: key_id, principal, endpoint, parameters (secrets redacted), response_status, latency_ms, timestamp
API key authentication, scope-based authorisation, rate limiting, and audit logging for all Skill API calls.
References: PRD §5.3
Acceptance Criteria
Authorization: Bearer <key>