feat(api): expose safari session list/get/export as app_key-callable OpenAPI endpoints

[ysyneu]

What

Adds three AI SRE (safari) session read endpoints to the OpenAPI spec as app_key-callable (AppKeyAuth) operations, so the public go-flashduty SDK can generate typed clients against them. These power the upcoming /insight feature (analyze past sessions → surface SRE-friction suggestions).

Path	operationId	Purpose
POST /safari/session/list	session-read-list	Paginated session list (filter by app, entry surface, archive status, team scope)
POST /safari/session/get	session-read-info	One session + a backward-paged window of its events
POST /safari/session/export	session-read-export	Streaming NDJSON transcript of a session's full event history

All three are Auth:"all" in the fc-pgy registry (/safari/session/list = t_api 7002, /get = 7001, /export = 7011) — any valid app_key may call them. Reads are scoped to the account + person the app_key resolves to.

Modeling notes

• session/export is NOT typed JSON — it returns Content-Type: application/x-ndjson, one JSON object per line, the first line always a session_meta envelope. It is modeled as a streaming text body with an ExportLine reference schema documenting the per-line shape (session_meta, user_message, llm_call, tool_call, subagent_dispatch, final_answer, agent_text, error). Consumers must parse line-by-line and write to a file, never buffer the whole transcript. The SDK will need a hand-written streaming method for this endpoint.
• Schemas are grounded verbatim in the fc-safari handler request/response structs (SessionListRequest/SessionListResponse/SessionItem, SessionGetRequest/SessionGetResponse/EventItem, SessionExportRequest). Epoch-millis fields (created_at, updated_at, last_event_at, …) carry "Unix timestamp in milliseconds" descriptions so the description-driven SDK generator maps them to TimestampMilli.
• Request + response examples captured from live api-dev.
• get/export are permission-gated (CanChatSession) so they include a 403; list does not. The not-found case surfaces as HTTP 400 ResourceNotFound (per Flashduty convention), already covered by the BadRequest response.
• EN authored, ZH derived (human-facing text only) — structural parity verified.

Files

• api-reference/safari.openapi.en.json, safari.openapi.zh.json (per-module, what Mintlify renders)
• api-reference/openapi.en.json, openapi.zh.json (consolidated, for Apifox / cross-module audits)

Validation

• JSON valid (all 4 files); 3 session paths present in all 4.
• Every $ref in the new operations resolves; EN/ZH structural parity (path keys, operationIds, response codes, schema keys, property keys) holds; all three ops marked security: [{AppKeyAuth: []}].
• mint broken-links: my files introduce zero broken links (the 4 reported are pre-existing on main in on-call/.../http-pull.mdx, untouched here).