API keys
Encrypted storage for every child-project admin key the super-admin holds. Plaintext keys never re-enter the browser after the initial paste — they’re sealed at rest with AES-256-GCM and only decrypted server-side at use time.
key
No keys stored yet
Once you register a domain, its encrypted key gets a row here with the fingerprint, age, and last-used timestamp. Rotate, disable, or remove from there.
Phase 3.3 — surfaces projects.list