feat: implement audit trail alignment (soft delete & permission audit)

- Task Soft Delete:
  - Add is_deleted, deleted_at, deleted_by fields to Task model
  - Convert DELETE to soft delete with cascade to subtasks
  - Add include_deleted query param (admin only)
  - Add POST /api/tasks/{id}/restore endpoint
  - Exclude deleted tasks from subtask_count

- Permission Change Audit:
  - Add user.role_change event (high sensitivity)
  - Add user.admin_change event (critical, triggers alert)
  - Add PATCH /api/users/{id}/admin endpoint
  - Add role.permission_change event type

- Append-Only Enforcement:
  - Add DB triggers for audit_logs immutability (manual for production)
  - Migration 008 with graceful trigger failure handling

- Tests: 11 new soft delete tests (153 total passing)
- OpenSpec: fix-audit-trail archived, fix-realtime-notifications & fix-weekly-report proposals added

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/users/router.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, HTTPException, status, Query
+from fastapi import APIRouter, Depends, HTTPException, status, Query, Request
 from sqlalchemy.orm import Session
 from sqlalchemy import or_
 from typing import List
@@ -6,6 +6,7 @@ from typing import List
 from app.core.database import get_db
 from app.models.user import User
 from app.models.role import Role
+from app.models import AuditAction
 from app.schemas.user import UserResponse, UserUpdate
 from app.middleware.auth import (
     get_current_user,
@@ -13,6 +14,8 @@ from app.middleware.auth import (
     require_system_admin,
     check_department_access,
 )
+from app.middleware.audit import get_audit_metadata
+from app.services.audit_service import AuditService
 
 router = APIRouter()
 
@@ -135,6 +138,7 @@ async def update_user(
 async def assign_role(
     user_id: str,
     role_id: str,
+    request: Request,
     db: Session = Depends(get_db),
     current_user: User = Depends(require_system_admin),
 ):
@@ -170,7 +174,68 @@ async def assign_role(
             detail="Cannot assign system role",
         )
 
+    old_role_id = user.role_id
     user.role_id = role_id
+
+    # Audit log for role change (high sensitivity)
+    if old_role_id != role_id:
+        AuditService.log_event(
+            db=db,
+            event_type="user.role_change",
+            resource_type="user",
+            action=AuditAction.UPDATE,
+            user_id=current_user.id,
+            resource_id=user.id,
+            changes=[{"field": "role_id", "old_value": old_role_id, "new_value": role_id}],
+            request_metadata=get_audit_metadata(request),
+        )
+
+    db.commit()
+    db.refresh(user)
+    return user
+
+
+@router.patch("/{user_id}/admin", response_model=UserResponse)
+async def set_admin_status(
+    user_id: str,
+    is_admin: bool,
+    request: Request,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(require_system_admin),
+):
+    """
+    Set or revoke system administrator status. Requires system admin.
+    """
+    user = db.query(User).filter(User.id == user_id).first()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="User not found",
+        )
+
+    # Prevent self-modification
+    if user.id == current_user.id:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Cannot modify your own admin status",
+        )
+
+    old_admin_status = user.is_system_admin
+    user.is_system_admin = is_admin
+
+    # Audit log for admin change (critical sensitivity, triggers alert)
+    if old_admin_status != is_admin:
+        AuditService.log_event(
+            db=db,
+            event_type="user.admin_change",
+            resource_type="user",
+            action=AuditAction.UPDATE,
+            user_id=current_user.id,
+            resource_id=user.id,
+            changes=[{"field": "is_system_admin", "old_value": old_admin_status, "new_value": is_admin}],
+            request_metadata=get_audit_metadata(request),
+        )
+
     db.commit()
     db.refresh(user)
     return user