docs: sprint 2 surface in docs/api.md + D-015/D-016/D-017 + changelog

- `docs/api.md` extended with the sprint-2 surface: pagination envelope
  conventions, engagement members (GET/POST/DELETE), users (GET paginated
  with `?type=`, POST, PATCH, DELETE-soft), audit log viewer with its
  five filters. Anti-enumeration semantics (404 on foreign members) made
  explicit. Drive-by fix: `/engagements<eid>` → `/engagements/<eid>`.
- `tasks/spec-decisions.md` logs the three sprint-2 decisions verbatim:
  - **D-015** USER_MANAGE permission (wording from spec-analyst).
  - **D-016** pagination envelope shape (`{items, total, page, page_size}`).
  - **D-017** `engagement_member.role` stays a free-form label.
- `CHANGELOG.md` summarises the sprint with hashes / behaviours / decisions.

CHANGELOG.md

@@ -5,6 +5,46 @@ Versioning starts at `0.1.0` when sprint 0 lands.
 
 ## [Unreleased]
 
+### Sprint 2 — user mgmt + engagement members + audit viewer (`feature/backend-user-mgmt`)
+
+- **`USER_MANAGE` permission** (D-015) added to the F11 matrix; `rt_lead` only.
+  Migration `202605230001_add_user_manage_permission` adds `user.manage` to
+  the `permission` table and ties it to the `rt_lead` group. The
+  `test_migration_seed_matches_current_matrix` invariant is generalised to
+  the union "initial frozen ∪ delta migrations" so future sprints can keep
+  adding permissions via new migrations without editing the historical one.
+- **User CRUD** (`/api/v1/users`):
+  - `GET` paginated list (filter `?type=`).
+  - `POST` creates a user, hashes the password, wires the F11 group membership
+    automatically, returns `409 email_taken` on duplicate.
+  - `PATCH` partial update; changing `type` realigns the global group
+    membership and leaves per-engagement memberships untouched.
+  - `DELETE` soft-disables via `disabled_at`; idempotent (returns 204 even
+    when already disabled).
+  - Every mutation writes an audit row (`user.create` / `update` / `disable`).
+- **Engagement members** (`/api/v1/engagements/<eid>/members`):
+  - `GET`, `POST`, `DELETE`. `_engagement_or_404` runs *before* any membership
+    query so an RT operator targeting a foreign engagement receives the same
+    404 as for a non-existent id (anti-enumeration).
+  - `role` is a free-form ≤40-char label (D-017). Default `"member"`.
+  - `409 already_member` on duplicate.
+- **Audit log viewer** (`/api/v1/audit/log`): paginated, `rt_lead` only via
+  `AUDIT_READ`. Filters: `action`, `actor_id`, `resource_type`, `since`,
+  `until` (ISO 8601). Exposes `prev_hash` / `row_hash` so future clients can
+  verify the chain.
+- **Pagination envelope** (D-016): `Page[T]` schema
+  `{items, total, page, page_size}` and `PageQuery` for parsing
+  `?page=&page_size=` (max 200). Used by `/users` and `/audit/log` this
+  sprint; existing flat-array endpoints stay unchanged.
+- **Spec decisions** D-015, D-016, D-017 logged.
+- **Tests**: 11 new unit tests (Pydantic shapes + pagination bounds) + 5 new
+  integration tests covering the critical MA6 scenario (`rt_lead creates
+  rt_operator → assigns engagement A → operator only sees A`), the RBAC
+  gate on `USER_MANAGE`, the 409 on duplicate emails, the audit pagination,
+  and the soft-disable login-block path.
+- **`docs/api.md`** extended with the sprint-2 surface; the typo
+  `/engagements<eid>` → `/engagements/<eid>` fixed in passing.
+
 ### Sprint 1 — backend follow-up fixes (`feature/backend-auth-wiring`)
 
 - **Global JSON error envelope** — register `@app.errorhandler(HTTPException)`