Engagement members on `/api/v1/engagements/<eid>/members`:
- `GET` lists members (flat array, ordered by `added_at`). Permission
`ENGAGEMENT_READ`.
- `POST` adds a member. Permission `ENGAGEMENT_MEMBER_MANAGE`. Body
`{user_id, role?}`; `role` defaults to `"member"` (D-017). Returns 201
with `EngagementMemberRead`, 404 if the user is disabled/unknown, or
`409 already_member` on duplicate.
- `DELETE /members/<uid>` revokes. 204 on success, 404 if the membership
doesn't exist.
Every route reuses `_engagement_or_404` *before* any membership query, so
an RT operator targeting a foreign engagement receives the same 404 as for
a non-existent ID — matching the MA6 anti-leak posture flagged by
spec-analyst on this sprint.
Audit log viewer on `/api/v1/audit/log`:
- Single endpoint `GET`, paginated `Page[AuditLogEntry]`, gated by
`AUDIT_READ` (rt_lead only).
- Filters: `?action=`, `?actor_id=`, `?resource_type=`, `?since=`,
`?until=`. Times are ISO 8601; invalid input goes through the global 422
envelope with a `loc` field for the bad parameter.
- Exposes `prev_hash` / `row_hash` to support future client-side
chain-verification (D-013 stayed v1).
- Sorted by `ts DESC` so the most recent activity is the first page.
Blueprints registered in `api/__init__.py`.
9f75f119f0