feat: SOC2 audit log completeness — hybrid interceptor + explicit calls

Add AuditInterceptor as a safety net that auto-audits any POST/PUT/DELETE
without an explicit audit call (excludes data ingestion + heartbeat).
AuditService sets a request attribute so the interceptor skips when
explicit logging already happened.

New explicit audit calls:
- ApplicationConfigController: view/update app config
- AgentCommandController: send/broadcast commands (AGENT category)
- AgentRegistrationController: agent register + token refresh
- UiAuthController: UI token refresh
- OidcAuthController: OIDC callback failure
- AuditLogController: view audit log (sensitive read)
- UserAdminController: view users (sensitive read)
- OidcConfigAdminController: view OIDC config (sensitive read)

New AuditCategory.AGENT added. Frontend audit log filter updated.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cameleer3-server-core/src/main/java/com/cameleer3/server/core/admin/AuditCategory.java

@@ -1,5 +1,5 @@
 package com.cameleer3.server.core.admin;
 
 public enum AuditCategory {
-    INFRA, AUTH, USER_MGMT, CONFIG, RBAC
+    INFRA, AUTH, USER_MGMT, CONFIG, RBAC, AGENT
 }

cameleer3-server-core/src/main/java/com/cameleer3/server/core/admin/AuditService.java

@@ -34,6 +34,10 @@ public class AuditService {
 
         repository.insert(record);
 
+        if (request != null) {
+            request.setAttribute("audit.logged", true);
+        }
+
         log.info("AUDIT: user={} action={} category={} target={} result={}",
                 username, action, category, target, result);
     }