feat(audit): comprehensive logging — auth events, severity, source, IP

Audit log was previously silent on authentication and on background
work. This wires:

- Login (success + failed) and logout via a wrapper around better-auth's
  [...all] handler. Failed logins are severity 'warning' and carry the
  attempted email so brute-force attempts surface in the inspector.
- New severity (info|warning|error|critical) and source (user|auth|
  system|webhook|cron|job) columns on audit_logs. permission_denied
  defaults to 'warning', hard_delete to 'critical'.
- Webhook delivery success/failure/DLQ/retry now write audit rows
  alongside the webhook_deliveries detail table.
- IP address is now visible as a column in the inspector (was already
  captured at the helper level).
- Audit UI: severity badges per row, severity + source dropdowns, IP
  column, expanded action filter covering hard-delete, webhook events,
  job/cron events.

Migration 0044 adds the two columns + their port-scoped indexes.
1175/1175 vitest passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/app/api/v1/admin/audit/route.ts

@@ -15,6 +15,8 @@ const auditQuerySchema = z.object({
   action: z.string().optional(),
   userId: z.string().optional(),
   entityId: z.string().optional(),
+  severity: z.enum(['info', 'warning', 'error', 'critical']).optional(),
+  source: z.enum(['user', 'system', 'auth', 'webhook', 'cron', 'job']).optional(),
   dateFrom: z.string().optional(),
   dateTo: z.string().optional(),
   /** Free-text query against the tsvector `search_text` column. */
@@ -39,6 +41,8 @@ export const GET = withAuth(
         action: query.action,
         entityType: query.entityType,
         entityId: query.entityId,
+        severity: query.severity,
+        source: query.source,
         from: query.dateFrom ? new Date(query.dateFrom) : undefined,
         to: query.dateTo ? new Date(query.dateTo) : undefined,
         cursor,