Audit query API с structured filters

## Что это Audit query API (`@rox-one/audit/query`): SQL-like DSL над JSON-columns audit log. Примеры запросов: ``` AUDIT.SELECT actor, event, ts WHERE event LIKE 'auth.login.%' AND scope.workspaceId = ? ORDER BY ts DESC LIMIT 100 ``` Under the hood: query parser → SQLite JSON1 expressions → exec → stream results. Surface: CLI (`rox audit query`), API endpoint для admin UI (`/admin/audit` в settings), и programmatic API для skills/automations. Pagination через cursor (last-ts + last-id), не offset, чтобы не страдать на больших logs. Все queries scoped to current workspace по default; cross-workspace требует `admin` role. Компоненты: `@rox-one/audit`, `packages/audit/query-parser`. Tests: 50+ query examples в fixtures. ## Зачем Audit log без query API — write-only landfill. Real value — quick «who did what when» investigation. Structured DSL делает запросы безопасными (no SQL injection) и портабельными между audit-сторэжем (SQLite, ClickHouse в future). T220 query API. ## Источники вдохновения - [agisota/bslog](https://github.com/agisota/bslog) — CLI для Better Stack logs в ClickHouse-SQL стиле - [Siddhant-K-code/agent-trace](https://github.com/Siddhant-K-code/agent-trace) — queryable trace API - [hijohnnylin/neuronpedia](https://github.com/hijohnnylin/neuronpedia) — AI interpretability с audit introspection - [Agenta-AI/agenta](https://github.com/Agenta-AI/agenta) — LLMOps с trace schema ## 🔗 Linear - [PZD-428](https://linear.app/kuhjie/issue/PZD-428) — backing ticket