feat(audit): implement platform-wide audit logging

[betterclever]

Summary

• Adds a new audit_logs database table and Drizzle migration
• Implements AuditLogService and AuditLogRepository with full CRUD + filtering
• Instruments key services (API keys, secrets, webhooks, workflows, artifacts, analytics) to emit audit events
• Exposes a paginated GET /audit-logs REST endpoint with org-scoped access
• Adds frontend AuditLogSettings page under Settings
• Ships unit tests, e2e tests, and docs

Test plan

• Run pnpm test — unit tests for AuditLogService, AuthGuard, SecretsService, WebhooksService pass
• Run e2e suite: e2e-tests/core/audit-logs.test.ts covers create/list/filter flows
• Verify migration 0020_create-audit-logs.sql applies cleanly against dev DB
• Check Settings → Audit Logs page renders and paginates correctly

Closes ENG-174

🤖 Generated with Claude Code

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 9f87238fd2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use updated cursor when loading next audit log page

This handler sets cursor and immediately calls load('next'), but load reads query from the current render before the state update is applied. When users click “Load more” from the first page, the request is sent with the old cursor (undefined), so page 1 is fetched again and appended as duplicates; similar stale-state behavior also affects other flows that call setCursor(...) and then load(...) synchronously. Pass the next cursor directly into load (or trigger loading from cursor changes) so pagination requests always use the intended cursor.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Import audit query DTO as value for OpenAPI reflection

Using a type-only import for ListAuditLogsQueryDto strips the runtime class reference that Swagger relies on for @Query metadata, so this commit’s generated schema omits all /audit-logs query params (and the generated backend client shows query?: never for AuditLogsController_list). That makes typed SDK consumers unable to pass filters/cursor/limit even though the endpoint supports them; import the DTO as a value (or add explicit @ApiQuery declarations) to keep the contract accurate.

Useful? React with 👍 / 👎.