Added
- API token authentication: admins can create named Bearer / X-API-Key tokens for external integrations; tokens are SHA-256-hashed at rest, support optional expiry and revocation, and track last-used timestamp
- Settings: new "API Tokens" section for admins to create and revoke tokens; the full token value is shown only once immediately after creation
- OpenAPI 3.0 specification served at
/api/v1/openapi.jsonand/openapi.json(download via?download=1) - Budget: new endpoints
GET /api/v1/budget/categoriesandGET /api/v1/budget/categories/:key/subcategorieswith optional?lang=localisation
Changed
server/logger.jsnow serialisesErrorobjects into structured JSON fields (name, message, stack) instead of logging{}