Security-first by architecture

Policy decisions are evaluated server-side with deny rules taking precedence over allow rules, plus workspace-level authorization checks on every API path.

Audit events are chained with `prev_hash` and a canonical event hash, making edits detectable during replay and forensic verification.

Agent credentials are shown once, stored as salted hashes, rotatable on demand, and can be disabled immediately through the kill switch workflow.