Add audit log infrastructure and GET /v1/audit-logs endpoint

Introduces an append-only audit trail for all user and system actions:
sandbox lifecycle (create/pause/resume/destroy/auto-pause), snapshots,
team rename, API key create/revoke, member add/remove/leave/role_update,
and BYOC host add/delete/marked_down/marked_up.

- New audit_logs table (migration) with team_id, actor, resource,
  action, scope (team|admin), status (success|info|warning|error),
  metadata, and created_at
- AuditLogger (internal/audit) with named fire-and-forget methods per
  event; system actor used for background events (HostMonitor, TTL reaper)
- GET /v1/audit-logs: JWT-only, cursor pagination (max 200), multi-value
  filters for resource_type and action (comma-sep or repeated params);
  members see team-scoped events only, admins/owners see all
- AuthContext extended with APIKeyID + APIKeyName so API key requests
  record meaningful actor identity
- HostMonitor wired with AuditLogger for auto-pause and host marked_down

internal/auth/jwt.go

@@ -8,14 +8,14 @@ import (
 )
 
 const jwtExpiry = 6 * time.Hour
-const hostJWTExpiry = 7 * 24 * time.Hour       // 7 days; host refreshes via refresh token
+const hostJWTExpiry = 7 * 24 * time.Hour           // 7 days; host refreshes via refresh token
 const HostRefreshTokenExpiry = 60 * 24 * time.Hour // 60 days; exported for service layer
 
 // Claims are the JWT payload for user tokens.
 type Claims struct {
 	Type    string `json:"typ,omitempty"` // empty for user tokens; used to reject host tokens
 	TeamID  string `json:"team_id"`
-	Role    string `json:"role"`    // owner, admin, or member within TeamID
+	Role    string `json:"role"` // owner, admin, or member within TeamID
 	Email   string `json:"email"`
 	Name    string `json:"name"`
 	IsAdmin bool   `json:"is_admin,omitempty"` // platform-level admin flag