plan(phase1): MxGateway 1.3 done+approved (lib 0.1.2); ScadaBridge 1.3 pending

docs/plans/2026-06-02-auth-audit-normalization-phase1.md

@@ -123,6 +123,25 @@ Remaining Phase 1: **1.3 ApiKeys** (MxGateway donor cutover — low risk; ScadaB
 largest single item: SQLite store + Bearer format + scopes + key re-issuance), **1.5** claims/cookies,
 **1.6** dev base DN, **1.7** canonical roles.
 
+## Task 1.3 ApiKeys — MxGateway DONE; ScadaBridge pending (2026-06-02)
+
+**Library bumped to `0.1.2`**: `Auth.ApiKeys` SQLite migrator now stamps schema version **2** (was 1) to
+match the donor gateway's deployed `gateway-auth.db` — without it the gateway would fail to boot (migrator
+threw on a newer on-disk version). Final schema byte-identical since v1; no key re-issuance. Republished,
+re-pinned in MxGateway. (+2 migrator tests.)
+
+**MxGateway 1.3 — DONE + APPROVED** (commit `05009d7`): deleted 28 local pipeline files, adopted
+`Auth.ApiKeys 0.1.2` via `AddZbApiKeyAuth`; kept `ConstraintEnforcer`/gRPC interceptor/scopes/CLI/dashboard
+on top via a `GatewayApiKeyIdentityMapper` (library identity → gateway identity-with-EffectiveConstraints).
+Review: no Critical; no auth bypass, schema compat + crypto parity + gRPC status mapping verified. Non-blocking
+follow-ups: (a) dashboard mutations now write two audit rows (library + `dashboard-*`) — fine, note for Phase 2
+audit bridging; (b) nit: `GatewayApiKeyIdentityMapper` uses `Constraints as string` (opaque coupling) — consider
+a guard/contract test.
+
+**ScadaBridge 1.3 — PENDING**: the full inbound-API re-architecture (SQL Server → SQLite store, `X-API-Key`
+→ Bearer, per-method-approval → scopes/constraints, **all inbound keys re-issued**). Largest/highest-risk
+single item in the program; warrants its own focused pass (likely decomposed).
+
 ## Resolved decisions (2026-06-02)
 
 - **Decision A — ScadaBridge inbound API keys depth → (a) FULL ADOPT.** Re-architect inbound-API auth to the