fix(l1): write audit_logs rows at resolve/escalate with acting_as

Per spec §5.6.1, audit rows are written at session terminal events
(resolve, escalate, escalate_without_walk). log_audit gains an optional
acting_as parameter that propagates the session's acting_as tag
('l1_coverage' for engineer coverers, null for native L1 users).
Final code review flagged this as Important — column existed but was
never populated. Four new integration tests cover all three paths.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/app/core/audit.py

@@ -13,13 +13,20 @@ async def log_audit(
     resource_id: Optional[UUID] = None,
     details: Optional[dict] = None,
     account_id: Optional[UUID] = None,
+    acting_as: Optional[str] = None,
 ) -> None:
-    """Record an audit log entry. Does not commit — piggybacks on the caller's commit."""
+    """Record an audit log entry. Does not commit — caller's commit picks it up.
+
+    acting_as: optional tag from the session (e.g. 'l1_coverage' for engineers
+    on the L1 surface, None for native l1_tech users).
+    """
     if account_id is None:
         # Derive from the acting user's account as a fallback (one extra query).
         from sqlalchemy import select
         from app.models.user import User
-        result = await db.execute(select(User.account_id).where(User.id == user_id))
+        result = await db.execute(
+            select(User.account_id).where(User.id == user_id)
+        )
         account_id = result.scalar_one()
 
     entry = AuditLog(
@@ -29,5 +36,6 @@ async def log_audit(
         resource_type=resource_type,
         resource_id=resource_id,
         details=details,
+        acting_as=acting_as,
     )
     db.add(entry)