feat(audit): wider coverage — sensitive views, cron, jobs, portal abuse

Builds on the audit infra split (severity/source) by emitting events
from every place a security or operations review would want to see:

Sensitive data views (severity=warning):
- GDPR export download URL issued
- Audit log page opened (watch-the-watchers; first page only)
- CSV export of expenses
- Webhook secret regenerated

Authentication abuse (severity=warning, source=auth):
- Portal sign-in: success + failed-credentials + portal-disabled
- Portal password reset: unknown email + portal-disabled + bad token
- Portal activation: bad/expired token

Inbound webhook hardening:
- Documenso webhook with invalid X-Documenso-Secret now writes
  webhook_failed instead of being silently logged

Background work (source=cron / job):
- New attachWorkerAudit() helper wires every BullMQ worker to emit
  job_failed (severity=error) on .on('failed') and cron_run on
  .on('completed') for any job whose name matches the recurring
  scheduler list. Applied across all 10 workers.

1175/1175 vitest passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/queue/audit-helpers.ts

@@ -0,0 +1,92 @@
+/**
+ * Shared BullMQ → audit log glue.
+ *
+ * Each worker calls `attachWorkerAudit(worker, workerName)` after
+ * defining itself. We listen on the worker's BullMQ events and emit:
+ *
+ *   - `job_failed` (severity error, source 'job') for every BullMQ
+ *     `failed` event, regardless of attempt number. (Producers know if
+ *     this was a final failure via the existing per-worker logic.)
+ *   - `cron_run`   (severity info, source 'cron') for every successful
+ *     completion of a job whose name matches a recurring scheduler
+ *     entry — gives operators a heartbeat row per cron tick.
+ *
+ * Audit writes are fire-and-forget and never throw.
+ */
+
+import type { Job, Worker } from 'bullmq';
+
+import { createAuditLog } from '@/lib/audit';
+import { logger } from '@/lib/logger';
+
+/**
+ * Names that match recurring jobs registered in `scheduler.ts`.
+ * Keep in sync — a typo here just means the cron-tick row gets logged
+ * as a regular job instead of a cron run, no functional impact.
+ */
+const RECURRING_JOB_NAMES: ReadonlySet<string> = new Set([
+  'signature-poll',
+  'reminder-check',
+  'reminder-overdue-check',
+  'calendar-sync',
+  'invoice-overdue-check',
+  'tenure-expiry-check',
+  'currency-refresh',
+  'database-backup',
+  'backup-cleanup',
+  'session-cleanup',
+  'report-scheduler',
+  'notification-digest',
+  'temp-file-cleanup',
+  'form-expiry-check',
+  'alerts-evaluate',
+  'analytics-refresh',
+  'gdpr-export-cleanup',
+  'ai-usage-retention',
+  'error-events-retention',
+  'website-submissions-retention',
+]);
+
+export function attachWorkerAudit(worker: Worker, workerName: string): void {
+  worker.on('failed', (job: Job | undefined, err: Error) => {
+    void createAuditLog({
+      userId: null,
+      portId: null,
+      action: 'job_failed',
+      entityType: 'queue_job',
+      entityId: job?.id ?? `${workerName}:unknown`,
+      metadata: {
+        worker: workerName,
+        jobName: job?.name ?? 'unknown',
+        attemptsMade: job?.attemptsMade ?? null,
+        opts: job?.opts ? { attempts: job.opts.attempts } : null,
+        error: err.message?.slice(0, 1024) ?? null,
+      },
+      severity: 'error',
+      source: 'job',
+    });
+  });
+
+  worker.on('completed', (job: Job) => {
+    if (!RECURRING_JOB_NAMES.has(job.name)) return;
+    void createAuditLog({
+      userId: null,
+      portId: null,
+      action: 'cron_run',
+      entityType: 'cron',
+      entityId: job.name,
+      metadata: {
+        worker: workerName,
+        jobId: job.id ?? null,
+        durationMs: job.processedOn && job.finishedOn ? job.finishedOn - job.processedOn : null,
+      },
+      severity: 'info',
+      source: 'cron',
+    });
+  });
+
+  // Defensive logger — surface any audit-side failure to the worker log.
+  worker.on('error', (err) => {
+    logger.warn({ workerName, err }, 'BullMQ worker error');
+  });
+}