docs: sprint 2 surface in docs/api.md + D-015/D-016/D-017 + changelog

- `docs/api.md` extended with the sprint-2 surface: pagination envelope
  conventions, engagement members (GET/POST/DELETE), users (GET paginated
  with `?type=`, POST, PATCH, DELETE-soft), audit log viewer with its
  five filters. Anti-enumeration semantics (404 on foreign members) made
  explicit. Drive-by fix: `/engagements<eid>` → `/engagements/<eid>`.
- `tasks/spec-decisions.md` logs the three sprint-2 decisions verbatim:
  - **D-015** USER_MANAGE permission (wording from spec-analyst).
  - **D-016** pagination envelope shape (`{items, total, page, page_size}`).
  - **D-017** `engagement_member.role` stays a free-form label.
- `CHANGELOG.md` summarises the sprint with hashes / behaviours / decisions.

tasks/spec-decisions.md

@@ -152,3 +152,54 @@ extension owns the registry).
 on `UuidPkMixin`. Foreign-key UUID columns rely on SQLAlchemy 2's built-in
 `Uuid` mapping via `Mapped[uuid.UUID]`. No `type_annotation_map` on the
 declarative base.
+
+### D-015 — User management permission
+
+**Decision**: Add `USER_MANAGE = "user.manage"` to the `Permission` enum in
+`backend/src/mimic/rbac/matrix.py`. This permission gates all `/api/v1/users`
+CRUD endpoints (list, create, update/disable). It is granted exclusively to
+`rt_lead` (already holds ALL_PERMISSIONS — no change to GROUP_PERMISSIONS dict).
+
+**Why**: The F11 matrix does not explicitly list "manage users" as a named
+permission, but spec §9 routes assign `/admin` (users, audit log) to Lead RT only.
+The CLI `mimic-cli user create` covered creation out-of-band but sprint 2 adds a
+UI-facing REST endpoint, which requires a named permission for `@require_perm`
+decorator + testability.
+
+**How to apply**: Backend uses `@require_perm(Permission.USER_MANAGE)` on all
+`/api/v1/users` endpoints. No change to GROUP_PERMISSIONS needed — rt_lead holds
+ALL_PERMISSIONS already. rt_operator and soc_analyst get 403 automatically.
+
+### D-016 — Pagination envelope shape
+**Context.** Sprint 2 adds two paginated endpoints (`/users` and `/audit/log`);
+sprint 3+ will paginate TTPs and scenarios. A consistent shape avoids two
+client-side parsers.
+
+**Decision.** Standard envelope:
+```json
+{ "items": [...], "total": <n>, "page": 1, "page_size": 50 }
+```
+- Query params: `?page=` (≥1, default 1), `?page_size=` (default 50, max 200).
+- `total` is computed via a `SELECT COUNT(*)` against the same filtered query.
+- Existing non-paginated endpoints (`GET /api/v1/engagements`) are **not**
+  migrated this sprint — changing them retroactively would break the frontend
+  client that already shipped. They'll migrate together later via either a
+  `/api/v2/` bump or an opt-in `?paginate=true` flag.
+
+**How to apply.** `mimic.schemas.pagination.Page[T]` + `PageQuery` provide the
+shape and the validated query parsing; `mimic.api._helpers.parse_page_query()`
+is the canonical entrypoint inside blueprints.
+
+### D-017 — `engagement_member.role` as a free-form label
+**Context.** The `engagement_member.role` column is `String(40)` (sprint 0).
+Sprint 2 needs to know what to validate at the API boundary.
+
+**Decision.** Treat `role` as a free-form informational label, not as an
+authorization gate. Application-level RBAC stays the responsibility of the F11
+`group` membership; `role` documents who-does-what on the engagement
+(e.g. `"member"`, `"lead-on-mission"`, `"binôme A"`, `"shadow"`). Default to
+`"member"` when not provided. Validation: 1–40 chars.
+
+**How to apply.** `EngagementMemberCreate` uses a `str` field with the
+1–40-char bound; no enum to maintain. If future code needs a typed role,
+introduce a separate column (do not repurpose this one).