Audit Log Search, Filtering, and Compliance Export

[blessme247]

Closes #70

Summary

Implements a dedicated AuditLogModule covering full-text search, advanced filtering, signed bulk export, retention enforcement, and at-rest encryption for audit logs — closing all items in the linked issue's Definition of Done.

The existing ProvenanceController/DTOs attached to the issue cover AI agent call provenance (LLM provider calls, on-chain tx hashes, signature verification) — a different domain from generic audit logging (auth events, CRUD actions, IP-based access tracking). Rather than overload ProvenanceRecord with unrelated fields, this PR introduces a parallel AuditLog entity and module, following the same architectural conventions already established in ProvenanceController (NestJS guards, class-validator DTOs, Swagger decorators, paginated response shapes).

---

What's included

File | Purpose -- | -- entities/audit-log.entity.ts | TypeORM entity with composite indexes on (userId, createdAt), (action, createdAt), (ipAddress, createdAt); AES-256-GCM column transformer encrypting details at rest migrations/1700000000000-CreateAuditLogTable.ts | Table + enum + indexes, including a GIN(to_tsvector(...)) index for sub-2s full-text search at 1M+ rows dto/query-audit-log.dto.ts | QueryAuditLogDto (search, userId/action/ipAddress/date filters, pagination capped at 100/page) and ExportAuditLogDto (date range required, limit capped at 100,000) dto/audit-log-response.dto.ts | Response shape + paginated list wrapper guards/compliance-officer.guard.ts | Restricts all routes to compliance_officer or admin roles export-signing.service.ts | HMAC-SHA256 signing/verification using a system key, for export integrity audit-log.service.ts | Query builder for search/filter, JSON/CSV export, and two @Cron jobs: archival at 1 year, hard deletion at 7 years audit-log.controller.ts | GET /audit-logs, GET /audit-logs/:id, GET /audit-logs/export — all behind JwtAuthGuard + ComplianceOfficerGuard audit-log.module.ts | Wires entity, service, controller, and ScheduleModule for cron jobs

---

Design decisions

• Search field is materialized, not computed at query time. searchText is built once at write time (record()concatenates action, resource type/ID, IP, and details) so the GIN index stays simple and queries don't pay tokenization cost per row at read time.
• Cold storage is injected, not hardcoded. archiveOldLogs accepts an optional coldStorageWriter: (logs) => Promise<void>callback rather than importing an S3 client directly, so the actual storage backend (S3/Glacier/GCS) can be wired in per environment without changing this module.
• CSV signing covers the same payload that's sent to the client. The signature is computed over the exact string written to the response body, so verification on the receiving end is a direct byte-for-byte HMAC check — no risk of signing a different serialization than what was sent.
• Encryption key and signing key are separate secrets (AUDIT_LOG_ENCRYPTION_KEY, AUDIT_EXPORT_SIGNING_KEY) so rotating one doesn't invalidate the other.

---

Required setup before merge

1. Set AUDIT_LOG_ENCRYPTION_KEY (32-byte hex string) and AUDIT_EXPORT_SIGNING_KEY in environment config — both throw at runtime if unset when first used.
2. Run the migration: create-audit-log.ts.
3. Wire a real coldStorageWriter callback into archiveOldLogs for production (currently a no-op if not supplied — logs are marked archived without actually moving data).