Pick a persistent store for delegated_agent audit log entries. Recommend Grafana Cloud Loki (already adopted by ADR-019, free at pilot scale) for general-purpose audit retention, with a small Mongo audit_logs collection reserved only for the customer-facing 'who did what' query surface once a tenant asks for one.
Quick-reference runbook for any agent, CI job, connector, or external script that needs to authenticate against the sv0-platform API. Covers the three live machine-auth paths and explicitly forbids replicating the deprecated personal-agent bridge.
Four-PR plan to delete the personal-agent bridge, collapse three super-admin allowlists to one, and clean up the legacy authMiddleware + OIDC + redirect/cookie env duplications. Reduction-only — no new features. The plan is itself a simplification of an earlier six-step draft that mirrored the accretion pattern it was trying to fix.