feat(security): add phase8 hardening with rate limits, audit logs, and auth-first simulator flow

Backend/services/audit.ts

@@ -0,0 +1,22 @@
+import { db } from '../db/client';
+import { auditLogs } from '../db/schema';
+
+export const writeAuditLog = async (entry: {
+  ownerUserId: string;
+  action: string;
+  targetType: string;
+  targetId: string;
+  actorDeviceId?: string;
+  metadata?: Record<string, unknown>;
+  ipAddress?: string;
+}): Promise<void> => {
+  await db.insert(auditLogs).values({
+    ownerUserId: entry.ownerUserId,
+    actorDeviceId: entry.actorDeviceId,
+    action: entry.action,
+    targetType: entry.targetType,
+    targetId: entry.targetId,
+    metadata: entry.metadata ?? null,
+    ipAddress: entry.ipAddress,
+  });
+};