feat(security): add phase8 hardening with rate limits, audit logs, and auth-first simulator flow

Backend/db/schema.ts

@@ -150,6 +150,18 @@ export const pushNotifications = pgTable('push_notifications', {
   updatedAt: timestamp('updated_at', { withTimezone: true }).defaultNow().notNull(),
 });
 
+export const auditLogs = pgTable('audit_logs', {
+  id: uuid('id').defaultRandom().primaryKey(),
+  ownerUserId: uuid('owner_user_id').notNull().references(() => users.id),
+  actorDeviceId: uuid('actor_device_id').references(() => devices.id),
+  action: varchar('action', { length: 128 }).notNull(),
+  targetType: varchar('target_type', { length: 64 }).notNull(),
+  targetId: varchar('target_id', { length: 255 }).notNull(),
+  metadata: jsonb('metadata').$type<Record<string, unknown> | null>().default(null),
+  ipAddress: text('ip_address'),
+  createdAt: timestamp('created_at', { withTimezone: true }).defaultNow().notNull(),
+});
+
 export const accounts = pgTable('account', {
   id: uuid('id').defaultRandom().primaryKey(),
   userId: uuid('user_id').notNull().references(() => users.id),
@@ -197,6 +209,7 @@ export const schema = {
   videos,
   notifications,
   pushNotifications,
+  auditLogs,
   accounts,
   sessions,
   verifications,