[codex] Restrict organization API key management to owners

[benjaminshafii]

Summary

• Restrict organization API-key management to workspace owners only.
• Update the API response descriptions and security operations docs to match the owner-only policy.
• Add regression coverage for the API-key management access gate alongside the existing identity-configuration gate.

Validation

• pnpm install --frozen-lockfile - passed.
• pnpm --filter @openwork-ee/den-api build - passed.
• bun test ee/apps/den-api/test/org-identity-access.test.ts - passed, 2 pass / 0 fail.
• pnpm --dir ee/apps/den-api exec tsc -p tsconfig.json --noEmit - passed.
• node -e "JSON.parse(require('fs').readFileSync('packages/docs/docs.json','utf8')); console.log('docs.json parse ok')" - passed.
• git diff --check - passed.
• bun test ee/apps/den-api/test - passed, 139 pass / 0 fail.
• git diff --cached --check - passed before commit.

Live Smoke

Not applicable: this is a server-side authorization and documentation change with no UI/runtime boundary change.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openwork-app	Ready	Preview, Comment	Jun 14, 2026 1:02am
openwork-den	Ready	Preview, Comment	Jun 14, 2026 1:02am
openwork-den-worker-proxy	Ready	Preview, Comment	Jun 14, 2026 1:02am
openwork-landing	Ready	Preview, Comment, Open in v0	Jun 14, 2026 1:02am

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
differentai	🔴 Failed	–	Jun 14, 2026, 1:06 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.