feat: add audit log table and integration with admin/tree endpoints

Creates AuditLog model with JSONB details column for tracking admin
actions. Integrates log_audit() helper into admin endpoints (role
change, team admin toggle, deactivate, activate) and tree delete.
IP address column reserved for future Railway proxy header support.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/api/endpoints/admin.py

@@ -5,6 +5,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy import select, func
 
 from app.core.database import get_db
+from app.core.audit import log_audit
 from app.models.user import User
 from app.schemas.user import UserResponse, RoleUpdate, TeamAdminUpdate
 from app.api.deps import require_admin
@@ -81,7 +82,10 @@ async def update_user_role(
             detail="Cannot change your own role"
         )
 
+    old_role = user.role
     user.role = role_data.role
+    await log_audit(db, current_user.id, "user.role_change", "user", user.id,
+                    {"old_role": old_role, "new_role": role_data.role})
     await db.commit()
     await db.refresh(user)
     return user
@@ -111,6 +115,8 @@ async def toggle_team_admin(
         )
 
     user.is_team_admin = data.is_team_admin
+    await log_audit(db, current_user.id, "user.team_admin_toggle", "user", user.id,
+                    {"is_team_admin": data.is_team_admin})
     await db.commit()
     await db.refresh(user)
     return user
@@ -139,6 +145,7 @@ async def deactivate_user(
         )
 
     user.is_active = False
+    await log_audit(db, current_user.id, "user.deactivate", "user", user.id)
     await db.commit()
     await db.refresh(user)
     return user
@@ -161,6 +168,7 @@ async def activate_user(
         )
 
     user.is_active = True
+    await log_audit(db, current_user.id, "user.activate", "user", user.id)
     await db.commit()
     await db.refresh(user)
     return user