feat(security): add phase8 hardening with rate limits, audit logs, and auth-first simulator flow

Backend/drizzle/0011_security_audit_logs.sql

@@ -0,0 +1,14 @@
+CREATE TABLE "audit_logs" (
+  "id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+  "owner_user_id" uuid NOT NULL,
+  "actor_device_id" uuid,
+  "action" varchar(128) NOT NULL,
+  "target_type" varchar(64) NOT NULL,
+  "target_id" varchar(255) NOT NULL,
+  "metadata" jsonb DEFAULT 'null'::jsonb,
+  "ip_address" text,
+  "created_at" timestamp with time zone DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_owner_user_id_users_id_fk" FOREIGN KEY ("owner_user_id") REFERENCES "public"."users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_actor_device_id_devices_id_fk" FOREIGN KEY ("actor_device_id") REFERENCES "public"."devices"("id") ON DELETE no action ON UPDATE no action;

Backend/drizzle/meta/_journal.json

@@ -78,6 +78,13 @@
       "when": 1770417956419,
       "tag": "0010_push_notifications_queue",
       "breakpoints": true
+    },
+    {
+      "idx": 11,
+      "version": "7",
+      "when": 1770418956419,
+      "tag": "0011_security_audit_logs",
+      "breakpoints": true
     }
   ]
 }