feat: implement audit trail module

- Backend (FastAPI):
  - AuditLog and AuditAlert models with Alembic migration
  - AuditService with SHA-256 checksum for log integrity
  - AuditMiddleware for request metadata extraction (IP, user_agent)
  - Integrated audit logging into Task, Project, Blocker APIs
  - Query API with filtering, pagination, CSV export
  - Integrity verification endpoint
  - Sensitive operation alerts with acknowledgement

- Frontend (React + Vite):
  - Admin AuditPage with filters and export
  - ResourceHistory component for change tracking
  - Audit service for API calls

- Testing:
  - 15 tests covering service and API endpoints

- OpenSpec:
  - add-audit-trail change archived

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/projects/router.py

@@ -1,10 +1,10 @@
 import uuid
 from typing import List
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, HTTPException, status, Request
 from sqlalchemy.orm import Session
 
 from app.core.database import get_db
-from app.models import User, Space, Project, TaskStatus
+from app.models import User, Space, Project, TaskStatus, AuditAction
 from app.models.task_status import DEFAULT_STATUSES
 from app.schemas.project import ProjectCreate, ProjectUpdate, ProjectResponse, ProjectWithDetails
 from app.schemas.task_status import TaskStatusResponse
@@ -12,6 +12,8 @@ from app.middleware.auth import (
     get_current_user, check_space_access, check_space_edit_access,
     check_project_access, check_project_edit_access
 )
+from app.middleware.audit import get_audit_metadata
+from app.services.audit_service import AuditService
 
 router = APIRouter(tags=["projects"])
 
@@ -85,6 +87,7 @@ async def list_projects_in_space(
 async def create_project(
     space_id: str,
     project_data: ProjectCreate,
+    request: Request,
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -124,6 +127,18 @@ async def create_project(
     # Create default task statuses
     create_default_statuses(db, project.id)
 
+    # Audit log
+    AuditService.log_event(
+        db=db,
+        event_type="project.create",
+        resource_type="project",
+        action=AuditAction.CREATE,
+        user_id=current_user.id,
+        resource_id=project.id,
+        changes=[{"field": "title", "old_value": None, "new_value": project.title}],
+        request_metadata=get_audit_metadata(request),
+    )
+
     db.commit()
     db.refresh(project)
 
@@ -180,6 +195,7 @@ async def get_project(
 async def update_project(
     project_id: str,
     project_data: ProjectUpdate,
+    request: Request,
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -200,6 +216,17 @@ async def update_project(
             detail="Only project owner can update",
         )
 
+    # Capture old values for audit
+    old_values = {
+        "title": project.title,
+        "description": project.description,
+        "budget": project.budget,
+        "start_date": project.start_date,
+        "end_date": project.end_date,
+        "security_level": project.security_level,
+        "status": project.status,
+    }
+
     # Update fields
     update_data = project_data.model_dump(exclude_unset=True)
     for field, value in update_data.items():
@@ -208,6 +235,30 @@ async def update_project(
         else:
             setattr(project, field, value)
 
+    # Capture new values and log changes
+    new_values = {
+        "title": project.title,
+        "description": project.description,
+        "budget": project.budget,
+        "start_date": project.start_date,
+        "end_date": project.end_date,
+        "security_level": project.security_level,
+        "status": project.status,
+    }
+
+    changes = AuditService.detect_changes(old_values, new_values)
+    if changes:
+        AuditService.log_event(
+            db=db,
+            event_type="project.update",
+            resource_type="project",
+            action=AuditAction.UPDATE,
+            user_id=current_user.id,
+            resource_id=project.id,
+            changes=changes,
+            request_metadata=get_audit_metadata(request),
+        )
+
     db.commit()
     db.refresh(project)
 
@@ -217,6 +268,7 @@ async def update_project(
 @router.delete("/api/projects/{project_id}", status_code=status.HTTP_204_NO_CONTENT)
 async def delete_project(
     project_id: str,
+    request: Request,
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
@@ -237,6 +289,18 @@ async def delete_project(
             detail="Only project owner can delete",
         )
 
+    # Audit log before deletion (this is a high-sensitivity event that triggers alert)
+    AuditService.log_event(
+        db=db,
+        event_type="project.delete",
+        resource_type="project",
+        action=AuditAction.DELETE,
+        user_id=current_user.id,
+        resource_id=project.id,
+        changes=[{"field": "title", "old_value": project.title, "new_value": None}],
+        request_metadata=get_audit_metadata(request),
+    )
+
     db.delete(project)
     db.commit()