docs: post-audit cleanup across CHANGELOG, CLAUDE, PLAN, README, design, ADR 0001, UI/UX plan (#60)

Sweep over the project's markdown to bring it back in line with the
post-Phase-7 + post-audit codebase. Documentation was lagging in
multiple places — the project audit's docs front had flagged most of
this; this PR ships the fixes.

CHANGELOG.md
  Repointed the `Unreleased` section to cover BOTH the existing
  Phase 7 access-control + change-approval bundle (PRs #28-#32 + #37)
  AND the project-audit follow-ups (PRs #52-#59) that just landed.
  The audit follow-ups subsection summarises each merged PR with its
  scope and verification, plus a deferred-items list (DisallowUnknownFields,
  rate-limiter janitor, per-handler child spans, eager markdown
  chunk). Added a note that a real version stamp is overdue.

CLAUDE.md
  - Tech stack: drop the "sqlc or pgx" hedge — the codebase is pgx
    + hand-written SQL only.
  - Auth bullet: stop claiming hashed API keys are supported; they're
    parked under v0.4.x. Mirrored on Decision B in the table.
  - Deployment bullet: stop claiming docker-compose has dev + prod
    profiles. Only dev + ci exist; the prod profile is parked.
  - Conventions: drop the obsolete `claude/ai-registry-setup-KMC3l`
    bootstrap branch reference; describe the actual feat/fix/docs/chore
    convention.
  - Configuration section: "**both** of the following" → "**all three**"
    (env / YAML / default). Original wording predated the YAML layer
    and was only updated on the precedence list, not the lede.

PLAN.md
  - Phase 5 hardening section: the four-line `**TODO — Phase 5:**`
    list was misleading — the items weren't unfinished Phase 5 work,
    they were carried forward into v0.4.x. Replaced with a "Parked
    from Phase 5 (now tracked under v0.4.x)" header that points at
    the README + CLAUDE.md Decision B for the live status.
  - v0.2.2 section: the entire DoD checklist was rendered as `- [ ]`
    even though the section header said "✅ SHIPPED". Replaced the
    unchecked checklist with a past-tense "What landed" summary, a
    "Carried forward" subsection for the OTel-spans gap that v0.2.2
    only partially closed (PR #58 finished it), and a DoD-met note.

README.md
  - Tech stack: PostgreSQL 16 → 18, matching the dev compose
    (postgres:18-alpine since PR #41) and the Helm CNPG cluster
    (PR #56).
  - Infra bullet: replace the "docker-compose (dev / ci / prod)"
    claim with an accurate description of the two real overlays
    (dev, ci) and a parked-under-v0.4.x note for prod.

design.md
  - Typography table: drop the "Geist (next/font)" row — that loader
    was removed with the rest of the Next.js stack in Phase 6
    (ADR 0004). The web app uses Tailwind's default `font-sans` /
    `font-mono` system stacks; explained in a follow-up paragraph.
  - Admin sidebar ASCII diagram: add the Workspaces nav item that
    Phase 7 introduced; rename "Activity" → "Audit" to match the
    actual nav label; flag the API Keys item as a placeholder.

docs/adr/0001-workspaces-under-publishers.md
  - Drop the "Migration numbers ... are **placeholders**" preamble —
    the actual numbered migrations (000008, 000009, 000010) are on
    disk and the placeholder language is no longer accurate.
  - Mark Step 1 + Step 2 as shipped with the actual entry points
    (Go-side `db.BackfillWorkspaces` instead of the original
    `make backfill-workspaces`).
  - Add an explicit "Status note (2026-05-10)" callout that Step 3
    (the finalising migration that drops `publisher_id` and flips
    `workspace_id` to NOT NULL) was scoped at design time but never
    landed; production keeps both columns coexisting and code paths
    still read `publisher_id` directly. Verified by grep against
    `internal/store/mcp.go`.

docs/ui-ux-implementation-plan.md
  - Added a "Status: largely shipped — retrospective document" banner
    at the top. The document plans 10 batches, the vast majority of
    which shipped across v0.2.x and v0.3.x. Without the banner the
    file reads as forward-looking work and gives a misleading picture
    to anyone landing on it via search. Points the reader at PLAN.md
    and README.md for current open work.

Out of scope (audit findings deliberately not addressed here):
docs/ui-ux-proposals.md is a decision record (proposals + accepted /
deferred verdicts), so staleness is by design — not a bug. The
runbook, db-backup, future-multi-environment, ADRs 0002/0003/0004,
and test/load README are all current.

No code changes; no test impact.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: Haibread

CHANGELOG.md

@@ -4,9 +4,17 @@ All notable changes to this project are documented here.
 
 ## Unreleased
 
-Phase 7 access-control + change-approval bundle plus an admin UI polish
-sweep. The server-side work landed across PRs #28–#32 and is reflected
-here for the first time; the UI polish landed in PR #37.
+Two distinct workstreams sit here pending the next version stamp:
+
+1. **Phase 7 access-control + change-approval bundle plus an admin UI
+   polish sweep.** Server-side work landed across PRs #28–#32; UI
+   polish landed in PR #37.
+2. **Project-audit follow-ups (PRs #52–#59).** A four-front sweep
+   produced a punch-list; the high-impact findings shipped as a
+   batch of small, surgical PRs.
+
+A real version stamp is overdue — the workstreams below are
+substantial enough that "Unreleased" understates them.
 
 ### 🏢 Workspaces under publishers
 
@@ -91,6 +99,75 @@ new workflow surfaces had landed:
   surface the slug inline under the name where the dedicated column
   is hidden; page headers wrap.
 
+### 🧭 Project-audit follow-ups (PRs #52–#59)
+
+A four-front audit (server, web, infra/config, docs) surfaced a P0/P1
+punch-list. The high-impact items shipped as small, surgical PRs;
+the deferred items are documented inline in the relevant PR
+descriptions.
+
+- **PLAN refresh** (#52) — mark v0.2.2 / v0.3.0 / v0.3.1 / v0.3.2 as
+  shipped; PLAN was lagging behind the actual release state.
+- **Doc + dead-code cleanup** (#54) — flip ADRs 0001/0002/0003 from
+  `Proposed` → `Accepted`, drop the stale `next-themes` row from
+  PLAN's Phase 6 migration table, prune dead Renovate rules
+  (`next`, `eslint-config-next`, `next-auth`, `autoprefixer`,
+  `tailwindcss-animate`), bump `@types/node` pin from `^22.0.0` →
+  `^24.0.0` (CI runs Node 24), delete the unused
+  `compatibility-info.tsx` component.
+- **Config-layer fixes** (#55) — `PUBLIC_BASE_URL` and
+  `BOOTSTRAP_FILE` were bypassing the config layer (read directly
+  via `os.Getenv` from handlers and main), violating CLAUDE.md's
+  env+YAML+default mandate. Both are now reachable via env, YAML
+  (`http.public_base_url`, `bootstrap_file`), and a built-in
+  default. The `--bootstrap-file` CLI flag still wins. The
+  `OAuthProtectedResource` handler also dropped its silent
+  `localhost:8081` fallback — empty `PublicBaseURL` now returns
+  HTTP 500, mirroring `GlobalAgentCard`. 8 new tests pin the
+  three-place rule.
+- **Helm CNPG postgres bump** (#56) — `cnpg.postgresVersion: "16"`
+  → `"18"`. Closes the version drift with the docker-compose stack,
+  which moved to `postgres:18-alpine` in PR #41. `pg-probe` snippets
+  in `docs/runbook.md` updated to match.
+- **ADR 0004 backfill** (#57) — Phase 6 (Next.js → Vite migration)
+  was a cross-cutting decision but never got an ADR. `docs/adr/0004-vite-spa-migration.md`
+  captures the rationale, alternatives considered, and historical
+  implementation steps so the decision survives the next "why
+  aren't we on Next.js?" question.
+- **OTel uplift** (#58) — three observability test gaps closed:
+  - `router_otel_test.go` only pinned spans for 4 hand-picked routes;
+    new `router_otel_walk_test.go` enumerates every chi-registered
+    route and asserts every request lands inside an `otelhttp` span,
+    so a future router change that drops instrumentation on any
+    real handler fails CI.
+  - `internal/observability/` was at 0.0% coverage; new
+    `observability_test.go` pins log-level mapping, trace_id /
+    span_id injection, and metric-instrument registration.
+  - `internal/problem/` was at 0.0% coverage; new tests pin the
+    RFC 7807 wire shape, `omitempty` semantics, and slug-as-URL
+    contract.
+  - Bonus: `handlers/config.go` (the SPA's `/config.json` bootstrap)
+    gained its first tests covering the auth_storage coercion and
+    the empty-issuer dev-boot case.
+- **P2 quality fixes** (#59) — three small surgical fixes:
+  - **Counter drift on delete.** `CreateServer` / `CreateAgent`
+    incremented `MCPServersTotal` / `AgentsTotal`; the matching
+    delete handlers never decremented. The OTel `UpDownCounter`
+    monotonically inflated. Fixed.
+  - **Audit metadata silent-drop.** A `json.Marshal` failure in
+    `store.LogAuditEvent` dropped metadata without a log entry;
+    now we `slog.Warn` and continue with `metadata=NULL`.
+  - **`flag.Parse` error swallow.** `_ = fs.Parse(os.Args[1:])` is
+    now a structured `slog.Warn` so log aggregators see flag
+    typos.
+
+Deferred (documented in the audit synthesis but not shipped):
+`DisallowUnknownFields` rollout (no `additionalProperties: false`
+in the OpenAPI spec — needs per-endpoint risk analysis first),
+rate-limiter time-based janitor (bigger change), per-handler
+internal child spans, eager markdown chunk on detail pages
+(`React.lazy` deferral).
+
 ## v0.3.2
 
 Helm-chart-only patch release. Four fixes that unblock a fresh

CLAUDE.md

@@ -38,12 +38,13 @@ A centralized registry for AI ecosystem artifacts:
 
 ## Tech stack
 
-- **Server**: Go, `chi` router, PostgreSQL, `sqlc` or `pgx` for DB access,
-  `golang-migrate` for schema migrations.
+- **Server**: Go, `chi` router, PostgreSQL, `pgx` for DB access (no ORM,
+  hand-written SQL), `golang-migrate` for schema migrations.
 - **Auth**: OAuth2 / OIDC (external IdP, Keycloak in dev via docker-compose).
-  JWT access tokens validated via JWKS. MCP-compatible. Also supports hashed
-  API keys for machine-to-machine admin operations. Frontend uses `oidc-client-ts`
-  as a PKCE public client (no client secret; no NextAuth/Auth.js).
+  JWT access tokens validated via JWKS. MCP-compatible. Hashed API keys for
+  machine-to-machine admin operations are planned but not yet implemented —
+  see PLAN.md and Decision B below. Frontend uses `oidc-client-ts` as a PKCE
+  public client (no client secret; no NextAuth/Auth.js).
 - **Frontend**: Vite + React Router v7 + TanStack Query v5 + TypeScript +
   shadcn/ui + Tailwind. A pure SPA served as static files from nginx. Public
   section for browsing; `/admin` section guarded by a `<RequireAuth>` wrapper.
@@ -52,8 +53,12 @@ A centralized registry for AI ecosystem artifacts:
   in `src/pages/`.
 - **OpenAPI**: hand-written OpenAPI 3.1 spec is the source of truth; server
   types and TS client are generated from it.
-- **Dev infra**: docker-compose for Postgres + Keycloak + server + web.
-- **Deployment**: docker-compose (dev + prod profiles) + Helm chart for k8s.
+- **Dev infra**: docker-compose for Postgres + Keycloak + server + web
+  (`docker-compose.yml` baseline + `docker-compose.dev.yml` overlay for
+  local development; `docker-compose.ci.yml` is CI-only).
+- **Deployment**: docker-compose for self-hosted single-host installs +
+  a Helm chart for k8s with optional CNPG-managed Postgres. A dedicated
+  `docker-compose.prod.yml` profile is parked under v0.4.x.
 - **Observability**: OpenTelemetry (OTel) for all signals — traces, metrics,
   and logs. Use the Go `go.opentelemetry.io/otel` SDK in the server; export
   via OTLP (gRPC or HTTP). Every HTTP handler must be traced; DB calls must
@@ -86,9 +91,9 @@ CLAUDE.md             # this file
 
 ## Conventions
 
-- **Branching**: feature work on `claude/ai-registry-setup-KMC3l` for initial
-  setup; subsequent features on descriptive branches. Never push to `main`
-  without explicit request.
+- **Branching**: feature work on descriptive feature branches
+  (`feat/<topic>`, `fix/<topic>`, `docs/<topic>`, `chore/<topic>`). Never
+  push to `main` without an explicit request.
 - **Commits**: conventional commits (`feat:`, `fix:`, `docs:`, `chore:`).
 - **DB**: schema changes are forward-only migrations. Down migrations are
   maintained for local development convenience only — never rely on them in
@@ -106,8 +111,8 @@ CLAUDE.md             # this file
 
 ## Configuration (non-negotiable)
 
-Every configuration value MUST be settable in **both** of the following ways,
-with the listed precedence (highest wins):
+Every configuration value MUST be settable in **all three** of the following
+ways, with the listed precedence (highest wins):
 
 1. **Environment variable** — `UPPER_SNAKE_CASE` (e.g. `DATABASE_URL`).
 2. **Config file key** — `lower_snake_case` in a YAML file whose path is given
@@ -159,7 +164,7 @@ Rules for implementors:
 | # | Decision | Choice | Rationale |
 |---|----------|--------|-----------|
 | A | JWT admin claim | `realm_access.roles[]` contains `"admin"` | Keycloak default shape |
-| B | API-key auth | Deferred to Phase 5 | Phase 2 ships JWT-only; Phase 5 adds hashed API keys |
+| B | API-key auth | Deferred to v0.4.x | Phase 2-5 ship JWT-only; hashed per-publisher API keys parked under v0.4.x roadmap (see PLAN.md and README) |
 | C | `/v0/` wire format | Strict MCP registry spec shape | `{ servers: [{id, name, description, version, packages, repository, _meta}], metadata: {count, nextCursor} }` for list; single object for detail |
 | D | Integration test infra | testcontainers-go (postgres module) with snapshot isolation | No external dependency needed to run `go test` |
 | E | `packages` JSONB validation | Structural: each entry must have `registryType`, `identifier`, `version`, `transport.type` | Matches MCP server.json spec; strict schema deferred |

PLAN.md

@@ -205,11 +205,20 @@ admin console. No `/api/v1/users` endpoint or `/admin/users` page will be built.
   route on publishers, MCP servers, and agents has dedicated coverage
   in `internal/http/handlers/*_test.go` (testcontainers Postgres).
 
-**TODO — Phase 5:**
-- [ ] `POST /api/v1/api-keys`, `DELETE /api/v1/api-keys/{id}` — hashed API keys (per-publisher, machine-to-machine)
-- [ ] API-key auth middleware (JWT-first, fallback to API-key lookup)
-- [ ] Admin UI: API keys management page (`/admin/api-keys` — placeholder only today)
-- [ ] Docker Compose prod profile (`deploy/docker-compose.prod.yml`)
+**Parked from Phase 5 (now tracked under v0.4.x):**
+
+These items were originally listed as Phase 5 TODOs but were not
+attempted before Phase 5 closed. They are now part of the v0.4.x
+roadmap (see [README — Roadmap](README.md) and CLAUDE.md Decision B):
+
+- `POST /api/v1/api-keys`, `DELETE /api/v1/api-keys/{id}` — hashed API
+  keys (per-publisher, machine-to-machine).
+- API-key auth middleware (JWT-first, fallback to API-key lookup).
+- Admin UI: real API-keys management page (the `/admin/api-keys`
+  route ships as a placeholder today; the test file has a single
+  `it.skip` waiting on the endpoints).
+- Dedicated `deploy/docker-compose.prod.yml` profile for self-hosted
+  production single-host installs.
 
 ### Phase 6 — Migrate web app from Next.js → Vite + React SPA ✅ COMPLETED
 
@@ -316,50 +325,43 @@ test-only — no shipping features in this release unless they fell out
 of fixing a bug surfaced by the new tests. See CHANGELOG `v0.2.2` for
 the full coverage / CI / performance summary.
 
-**Web — admin depth**
-- [ ] Interactive coverage on `admin/mcp/detail.tsx` and `admin/agents/detail.tsx`:
-      per-version publish, deprecation, edit-in-place, status transitions, and
-      the lifecycle stepper. Today these files only have render-and-link smoke
-      tests.
-- [ ] Real flow for `admin/api-keys.tsx` (currently a single `it.skip` waiting
-      on Phase 5). Lifts as soon as the API-key endpoints land.
-- [ ] Extract the shadcn/Radix Select jsdom shims (`hasPointerCapture`,
-      `releasePointerCapture`, `scrollIntoView`) into `web/src/test/setup.ts`
-      so individual test files stop re-declaring them.
-- [ ] OIDC token refresh / expired-session paths in `AuthContext` —
-      `accessTokenExpiring` event, silent-renew failure, logout-on-401.
-
-**Server — protocol & spec conformance**
-- [ ] OTel span emission tests: every HTTP handler must produce a span with
-      the documented attributes (per CLAUDE.md "every new handler gets a
-      span"). Use the OTel test SDK / in-memory exporter.
-- [ ] Migration tests: forward apply of every numbered migration against a
-      fresh testcontainers Postgres, plus idempotency (running `Migrate`
-      twice must be a no-op).
-- [ ] `/v0/` MCP wire-format conformance suite — assert the exact response
-      shape from the MCP registry spec (`{servers, metadata: {count, nextCursor}}`,
-      single-object detail, `_meta`, `packages[].registryType`, etc.).
-- [ ] A2A Agent Card schema conformance — validate the per-agent
-      `/.well-known/agent-card.json` and the global card against the pinned
-      a2a-project June 2025 schema (decision G).
-- [ ] `openapi.yaml` ↔ handler contract test: every documented path/operation
-      must have a matching route, and every registered route must be
-      documented. Catches drift between spec and implementation.
-- [ ] Router-level test for `PublicRateLimitRPM` wiring — a test request
-      loop that proves the env/YAML value reaches the per-IP bucket and
-      changes the cutoff.
-
-**Server — write paths**
-- [ ] Audit every `POST` / `PATCH` / `DELETE` handler for untested error
-      branches (RFC 7807 problem responses, 409 conflicts, 422 validation,
-      403 admin-guard short-circuits). Today happy paths and 404s are well
-      covered, error branches less so.
-
-**Definition of done for v0.2.2**
+**What landed**
+
+- *Web admin depth.* Interactive coverage on `admin/mcp/detail.tsx` and
+  `admin/agents/detail.tsx` (per-version publish, deprecation,
+  edit-in-place, status transitions, lifecycle stepper). Shared
+  shadcn/Radix Select jsdom shims (`hasPointerCapture`,
+  `releasePointerCapture`, `scrollIntoView`) extracted into
+  `web/src/test/setup.ts`. OIDC token-refresh / expired-session paths
+  in `AuthContext` (`accessTokenExpiring`, silent-renew failure,
+  logout-on-401).
+- *Server protocol & spec conformance.* Migration forward-and-idempotent
+  apply tests against a fresh testcontainers Postgres. `/v0/` MCP
+  wire-format conformance suite. A2A Agent Card schema conformance
+  against the pinned a2a-project June 2025 schema (decision G).
+  `openapi.yaml` ↔ router contract test (bijection enforced via
+  `chi.Walk`). Router-level test for `PublicRateLimitRPM` wiring.
+- *Server write paths.* Error-branch coverage on every `POST` / `PATCH`
+  / `DELETE` handler (RFC 7807 shapes, 409 conflicts, 422 validation,
+  403 admin-guard short-circuits).
+
+**Carried forward**
+
+- *OTel span emission tests.* v0.2.2 landed a focused 4-route span
+  smoke test (`router_otel_test.go`); the broader "every handler"
+  coverage came later in PR #58 (audit follow-up) via
+  `router_otel_walk_test.go` which enumerates every chi-registered
+  route and asserts each request lands inside an `otelhttp` span.
+- *`admin/api-keys.tsx` real flow.* Still a single `it.skip` —
+  unblocks once the API-keys endpoints land in v0.4.x.
+
+**Definition of done (met at release)**
+
 - Coverage report shows no admin page below 80 % statement coverage.
-- Every handler has at least one OTel span assertion.
 - `/v0/` and A2A conformance suites are in CI and gating.
 - `openapi.yaml` ↔ router contract test is in CI and gating.
+- "Every handler has at least one OTel span assertion" — partially met
+  in v0.2.2 (focused smoke test), fully met in PR #58.
 
 ### v0.3.0 — Browse polish ✅ SHIPPED
 

README.md

@@ -56,11 +56,11 @@ AI Registry gives teams a single place to publish, discover, and evaluate the bu
 
 ## Tech stack
 
-**Server** — Go 1.25 · [chi](https://github.com/go-chi/chi) v5 · [pgx/v5](https://github.com/jackc/pgx) · PostgreSQL 16 · [golang-migrate](https://github.com/golang-migrate/migrate) · [jwt/v5](https://github.com/golang-jwt/jwt) · [oklog/ulid](https://github.com/oklog/ulid) · [testcontainers-go](https://github.com/testcontainers/testcontainers-go) · OpenTelemetry SDK + OTLP exporter
+**Server** — Go 1.25 · [chi](https://github.com/go-chi/chi) v5 · [pgx/v5](https://github.com/jackc/pgx) · PostgreSQL 18 · [golang-migrate](https://github.com/golang-migrate/migrate) · [jwt/v5](https://github.com/golang-jwt/jwt) · [oklog/ulid](https://github.com/oklog/ulid) · [testcontainers-go](https://github.com/testcontainers/testcontainers-go) · OpenTelemetry SDK + OTLP exporter
 
 **Frontend** — [Vite](https://vitejs.dev/) · React 19 · [React Router v7](https://reactrouter.com/) · [TanStack Query v5](https://tanstack.com/query/v5) · TypeScript · [shadcn/ui](https://ui.shadcn.com/) + Radix · Tailwind v4 · [oidc-client-ts](https://github.com/authts/oidc-client-ts) · Vitest + React Testing Library · Playwright (e2e)
 
-**Infra** — docker-compose (dev / ci / prod) · Helm chart with optional CNPG-managed PostgreSQL cluster, HTTPRoute, and Ingress · Keycloak for local OIDC · OTel Collector
+**Infra** — docker-compose (`docker-compose.yml` baseline + `dev` overlay; `ci` overlay for CI only) · Helm chart with optional CNPG-managed PostgreSQL 18 cluster, HTTPRoute, and Ingress · Keycloak for local OIDC · OTel Collector. (A dedicated `docker-compose.prod.yml` profile is parked under v0.4.x.)
 
 **API spec** — Hand-written OpenAPI 3.1 at `server/api/openapi.yaml` (**81 operations**), embedded into the binary and served live at `/openapi.yaml`. Server types and the TypeScript client are generated from the spec. A bijection test ensures the router and spec never drift.
 

design.md

@@ -505,11 +505,18 @@ system handles the swap automatically.
 
 | Role | Font | Weight | Size |
 |------|------|--------|------|
-| Display heading | Geist (next/font) | 700 | `text-3xl` – `text-5xl` |
-| Section heading | Geist | 600 | `text-xl` – `text-2xl` |
-| Body | Geist | 400 | `text-sm` – `text-base` |
-| Label / caption | Geist | 500 | `text-xs` – `text-sm` |
-| Code / version | Geist Mono | 400 | `text-xs` – `text-sm` |
+| Display heading | Tailwind `font-sans` (system stack) | 700 | `text-3xl` – `text-5xl` |
+| Section heading | `font-sans` | 600 | `text-xl` – `text-2xl` |
+| Body | `font-sans` | 400 | `text-sm` – `text-base` |
+| Label / caption | `font-sans` | 500 | `text-xs` – `text-sm` |
+| Code / version | `font-mono` (system monospace stack) | 400 | `text-xs` – `text-sm` |
+
+The web app does not bundle a webfont — Tailwind's default system stacks
+(`font-sans` → `ui-sans-serif, system-ui, …`; `font-mono` →
+`ui-monospace, SFMono-Regular, …`) keep first-paint fast and the bundle
+small. The original Next.js scaffold used `Geist` via `next/font`; that
+loader was dropped along with the rest of the Next.js stack in Phase 6
+(see [ADR 0004](docs/adr/0004-vite-spa-migration.md)).
 
 #### Spacing & Radius
 
@@ -592,12 +599,13 @@ redirect to the IdP authorize endpoint and a callback flow handled by
 │ Review   │                                           │
 │   queue  │  ⓘ                                        │
 │ Publishers│                                          │
+│ Workspaces│ (Phase 7 — nested under each publisher) │
 │ MCP      │                                           │
 │  Servers │                                           │
 │ Agents   │                                           │
 │ Reports  │                                           │
-│ Activity │                                           │
-│ API Keys │                                           │
+│ Audit    │                                           │
+│ API Keys │ (placeholder — see PLAN.md v0.4.x)        │
 │          │                                           │
 └──────────┴──────────────────────────────────────────┘
 ```