## Summary

<!-- Brief description of the changes -->

## Security Checklist

- [ ] No secrets in code (API keys, passwords, tokens)
- [ ] Input validation (Zod schema) on new endpoints
- [ ] Audit logging for data mutations (`createAuditEntry`)
- [ ] No SQL injection risk (Prisma ORM used, no raw queries)
- [ ] XSS prevention (user-provided text properly escaped/sanitized)
- [ ] RBAC permission check on new procedures (`requirePermission`)
- [ ] No new dependencies with known vulnerabilities (`pnpm audit`)

## Test Plan

<!-- How was this tested? -->

- [ ] Unit tests pass (`pnpm test:unit`)
- [ ] TypeScript compiles (`tsc --noEmit`)
- [ ] Linting passes (`pnpm lint`)
- [ ] Manual testing performed