feat: anonymize audit logs on user hard-delete and fix host audit log team assignment

Anonymize audit logs when soft-deleted users are purged after 15 days:
actor_name set to 'deleted-user', actor_id and resource_id nulled,
email stripped from member metadata. Per-user delete ensures no user
is removed without successful anonymization.

Frontend renders deleted-user as a styled red badge in audit log view.

Fix shared host create/delete audit logs landing in admin's personal
team — now correctly assigned to PlatformTeamID.

pkg/cpserver/run.go

@@ -14,6 +14,8 @@ import (
 	"github.com/jackc/pgx/v5/pgxpool"
 	"github.com/redis/go-redis/v9"
 
+	"github.com/jackc/pgx/v5/pgtype"
+
 	"git.omukk.dev/wrenn/wrenn/internal/api"
 	"git.omukk.dev/wrenn/wrenn/internal/email"
 	"git.omukk.dev/wrenn/wrenn/pkg/audit"
@@ -22,6 +24,7 @@ import (
 	"git.omukk.dev/wrenn/wrenn/pkg/channels"
 	"git.omukk.dev/wrenn/wrenn/pkg/config"
 	"git.omukk.dev/wrenn/wrenn/pkg/db"
+	"git.omukk.dev/wrenn/wrenn/pkg/id"
 	"git.omukk.dev/wrenn/wrenn/pkg/lifecycle"
 	"git.omukk.dev/wrenn/wrenn/pkg/logging"
 	"git.omukk.dev/wrenn/wrenn/pkg/scheduler"
@@ -185,10 +188,11 @@ func Run(opts ...Option) {
 	channelDispatcher.Start(ctx)
 
 	// Start host monitor (passive + active reconciliation every 30s).
-	monitor := api.NewHostMonitor(queries, hostPool, al, 30*time.Second)
+	monitor := api.NewHostMonitor(queries, hostPool, al, 15*time.Second)
 	monitor.Start(ctx)
 
 	// Hard-delete accounts that have been soft-deleted for more than 15 days (runs every 24h).
+	// Audit logs referencing deleted users are anonymized before the user row is removed.
 	go func() {
 		ticker := time.NewTicker(24 * time.Hour)
 		defer ticker.Stop()
@@ -197,10 +201,26 @@ func Run(opts ...Option) {
 			case <-ctx.Done():
 				return
 			case <-ticker.C:
-				if err := queries.HardDeleteExpiredUsers(ctx); err != nil {
-					slog.Error("account cleanup: failed to hard-delete expired users", "error", err)
-				} else {
-					slog.Info("account cleanup: hard-deleted expired users")
+				expired, err := queries.ListExpiredSoftDeletedUsers(ctx)
+				if err != nil {
+					slog.Error("account cleanup: failed to list expired users", "error", err)
+					continue
+				}
+				var deleted int
+				for _, userID := range expired {
+					prefixedID := id.FormatUserID(userID)
+					if err := queries.AnonymizeAuditLogsByUserID(ctx, pgtype.Text{String: prefixedID, Valid: true}); err != nil {
+						slog.Error("account cleanup: failed to anonymize audit logs, skipping delete", "user_id", prefixedID, "error", err)
+						continue
+					}
+					if err := queries.HardDeleteUser(ctx, userID); err != nil {
+						slog.Error("account cleanup: failed to hard-delete user", "user_id", prefixedID, "error", err)
+						continue
+					}
+					deleted++
+				}
+				if len(expired) > 0 {
+					slog.Info("account cleanup: processed expired users", "total", len(expired), "deleted", deleted)
 				}
 			}
 		}