Evidence gallery
GET /audit/evidence lists invoice and receipt evidence (filterable by kind — invoice,
proof, or all — and by subject company), backed by the same files uploaded through the
Files API’s presign → upload → confirm flow. Every download is
authorized and scan-policy checked server-side, not just hidden in the UI.
Operation log
GET /audit/operations lists audit events: contract create/edit/delete/import/export, field
definition changes, workflow transitions/approvals/returns/unlocks, payment and invoice changes,
file upload/download/delete, and permission/member changes. Each event is typed (see the
OpType values in Audit) and searchable.
Reading the full operation log requires the
admin module permission; reading evidence only
requires contract_view. See Roles & Permissions.