feat(audit): comprehensive logging — auth events, severity, source, IP

Audit log was previously silent on authentication and on background
work. This wires:

- Login (success + failed) and logout via a wrapper around better-auth's
  [...all] handler. Failed logins are severity 'warning' and carry the
  attempted email so brute-force attempts surface in the inspector.
- New severity (info|warning|error|critical) and source (user|auth|
  system|webhook|cron|job) columns on audit_logs. permission_denied
  defaults to 'warning', hard_delete to 'critical'.
- Webhook delivery success/failure/DLQ/retry now write audit rows
  alongside the webhook_deliveries detail table.
- IP address is now visible as a column in the inspector (was already
  captured at the helper level).
- Audit UI: severity badges per row, severity + source dropdowns, IP
  column, expanded action filter covering hard-delete, webhook events,
  job/cron events.

Migration 0044 adds the two columns + their port-scoped indexes.
1175/1175 vitest passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/db-reset.ts

@@ -16,7 +16,7 @@
 import 'dotenv/config';
 import postgres from 'postgres';
 
-const url = process.env.DATABASE_URL;
+const url: string = process.env.DATABASE_URL ?? '';
 if (!url) {
   console.error('DATABASE_URL is not set; aborting.');
   process.exit(1);

scripts/dev-open-browser.ts

@@ -16,7 +16,10 @@
  */
 
 import 'dotenv/config';
-import { chromium } from 'playwright';
+// @playwright/test re-exports the same chromium driver and is already
+// installed as a dev dep; using it avoids needing to add the standalone
+// `playwright` package as a separate dependency.
+import { chromium } from '@playwright/test';
 
 const USERS: Record<string, { email: string; password: string }> = {
   super_admin: { email: 'admin@portnimara.test', password: 'SuperAdmin12345!' },