Mux working on behalf of Mike.

User AI provider key create, update, and delete are self-service mutations introduced by the AI provider migration. The current migration keeps parity with the legacy user chat provider key flow and does not audit these actions in the stack.

Follow up by deciding and implementing the audit policy for these mutations.

Acceptance criteria

• Decide whether user AI provider key create, update, and delete should emit audit events.
• If auditing is required, add audit coverage that records the actor, affected user, and AI provider without exposing key material.
• Add tests for the selected behavior.
• Document any deliberate no-audit decision if the policy remains unchanged.

Context

• Raised from review feedback on feat: use AI provider chat APIs #25415.
• User-scoped key material must never be included in audit payloads.
• I attempted to create this in Linear for the Coder Agents team, but the Linear MCP returned invalid_request for issue creation.