Switch database IDs from TEXT to native UUID

Consolidate 16 migrations into one with UUID columns for all entity
IDs. TEXT is kept only for polymorphic fields (audit_logs.actor_id,
resource_id) and template names. The id package now generates UUIDs
via google/uuid, with Format*/Parse* helpers for the prefixed wire
format (sb-{uuid}, usr-{uuid}, etc.). Auth context, services, and
handlers pass pgtype.UUID internally; conversion to/from prefixed
strings happens at API and RPC boundaries. Adds PlatformTeamID
(all-zeros UUID) for shared resources.

internal/api/handlers_audit.go

@@ -6,7 +6,10 @@ import (
 	"strings"
 	"time"
 
+	"github.com/jackc/pgx/v5/pgtype"
+
 	"git.omukk.dev/wrenn/sandbox/internal/auth"
+	"git.omukk.dev/wrenn/sandbox/internal/id"
 	"git.omukk.dev/wrenn/sandbox/internal/service"
 )
 
@@ -65,13 +68,24 @@ func (h *auditHandler) List(w http.ResponseWriter, r *http.Request) {
 		limit = n
 	}
 
+	// Parse ?before_id cursor (UUID).
+	var beforeID pgtype.UUID
+	if s := r.URL.Query().Get("before_id"); s != "" {
+		parsed, err := id.ParseAuditLogID(s)
+		if err != nil {
+			writeError(w, http.StatusBadRequest, "invalid_request", "before_id must be a valid audit log ID")
+			return
+		}
+		beforeID = parsed
+	}
+
 	entries, err := h.svc.List(r.Context(), service.AuditListParams{
 		TeamID:        ac.TeamID,
 		AdminScoped:   ac.Role == "owner" || ac.Role == "admin",
 		ResourceTypes: parseMultiParam(r.URL.Query()["resource_type"]),
 		Actions:       parseMultiParam(r.URL.Query()["action"]),
 		Before:        before,
-		BeforeID:      r.URL.Query().Get("before_id"),
+		BeforeID:      beforeID,
 		Limit:         limit,
 	})
 	if err != nil {