feat: error audit middleware, impersonation attribution, account lockout logging

- Add withErrorAudit middleware tracking FORBIDDEN/UNAUTHORIZED/NOT_FOUND per user
- Fix impersonation attribution: log real admin ID, prefix IMPERSONATED_ on actions
- Add ACCOUNT_LOCKED audit events on login lockout (distinct from LOGIN_FAILED)
- Audit export of assignments and audit logs (meta-audit gap)
- Update audit page UI with new security event types and colors

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/app/(admin)/admin/audit/page.tsx

@@ -126,6 +126,11 @@ const ACTION_TYPES = [
   'USER_CHANGE_PASSWORD',
   'USER_COMPLETE_ONBOARDING',
   'SPECIAL_AWARD_SUBMIT_VOTE',
+  // Security events
+  'ACCOUNT_LOCKED',
+  'ACCESS_DENIED_FORBIDDEN',
+  'ACCESS_DENIED_UNAUTHORIZED',
+  'ACCESS_DENIED_NOT_FOUND',
 ]
 
 // Entity type options
@@ -210,6 +215,11 @@ const actionColors: Record<string, 'default' | 'destructive' | 'secondary' | 'ou
   USER_SET_PASSWORD: 'outline',
   USER_CHANGE_PASSWORD: 'outline',
   USER_COMPLETE_ONBOARDING: 'default',
+  // Security events
+  ACCOUNT_LOCKED: 'destructive',
+  ACCESS_DENIED_FORBIDDEN: 'destructive',
+  ACCESS_DENIED_UNAUTHORIZED: 'destructive',
+  ACCESS_DENIED_NOT_FOUND: 'secondary',
 }