- docs/api.md: contract the frontend consumes — base URL, auth transport
(Flask session cookie, credentials: include), uniform error envelope,
MA6 tenant-scope behaviour (404 not 403), per-endpoint shape for
/auth/{login,logout,me} and /engagements GET/POST/GET-by-id, plus a
worked example walking through CLI bootstrap → login → POST engagement →
list → logout.
- CHANGELOG.md: sprint-1 entry summarising the three endpoints, the dev-
only CORS, the AuthUser extension, the audit rows, and the test
coverage.
