feat: Activity History system — full audit coverage, UI, AI tools

Infrastructure (Phase 1):
- AuditLog schema: add source, entityName, summary fields + index
- createAuditEntry() helper: auto-diff, auto-summary, fire-and-forget
- auditLog query router: list, getByEntity, getTimeline, getActivitySummary

Audit Coverage (Phase 2 — 14 routers, 50+ mutations):
- vacation: create, approve, reject, cancel, batch ops (8 mutations)
- user: create, updateRole, setPermissions, resetPermissions (5 mutations)
- entitlement: set, bulkSet (3 mutations)
- client: create, update, delete, batchUpdateSortOrder
- org-unit: create, update, deactivate
- country: create, update, createCity, updateCity, deleteCity
- management-level: createGroup, updateGroup, createLevel, updateLevel, deleteLevel
- settings: updateSystemSettings (sensitive fields sanitized), testSmtp
- blueprint: create, update, updateRolePresets, delete, batchDelete, setGlobal
- rate-card: create, update, deactivate, addLine, updateLine, deleteLine, replaceLines
- calculation-rules: create, update, delete
- effort-rule: create, update, delete
- experience-multiplier: create, update, delete
- utilization-category: create, update

Admin UI (Phase 3):
- /admin/activity-log page with global searchable timeline
- Filters: entity type, action, user, date range, text search
- Expandable before/after diff view per entry
- Summary cards showing top entity types by change count
- EntityHistory reusable component for entity detail pages
- Sidebar nav link with clock icon

AI Assistant (Phase 4):
- query_change_history tool: "Who changed project X?"
- get_entity_timeline tool: "What happened to resource Y?"

Regression: 283 engine + 37 staffing tests pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>

packages/api/src/router/client.ts

@@ -2,6 +2,7 @@ import { CreateClientSchema, UpdateClientSchema } from "@planarchy/shared";
 import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { findUniqueOrThrow } from "../db/helpers.js";
+import { createAuditEntry } from "../lib/audit.js";
 import { adminProcedure, createTRPCRouter, managerProcedure, protectedProcedure } from "../trpc.js";
 
 import type { ClientTree } from "@planarchy/shared";
@@ -97,7 +98,7 @@ export const clientRouter = createTRPCRouter({
         }
       }
 
-      return ctx.db.client.create({
+      const created = await ctx.db.client.create({
         data: {
           name: input.name,
           ...(input.code ? { code: input.code } : {}),
@@ -106,6 +107,19 @@ export const clientRouter = createTRPCRouter({
           ...(input.tags ? { tags: input.tags } : {}),
         },
       });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "Client",
+        entityId: created.id,
+        entityName: created.name,
+        action: "CREATE",
+        userId: ctx.dbUser?.id,
+        after: created as unknown as Record<string, unknown>,
+        source: "ui",
+      });
+
+      return created;
     }),
 
   update: managerProcedure
@@ -123,7 +137,9 @@ export const clientRouter = createTRPCRouter({
         }
       }
 
-      return ctx.db.client.update({
+      const before = existing as unknown as Record<string, unknown>;
+
+      const updated = await ctx.db.client.update({
         where: { id: input.id },
         data: {
           ...(input.data.name !== undefined ? { name: input.data.name } : {}),
@@ -134,15 +150,44 @@ export const clientRouter = createTRPCRouter({
           ...(input.data.tags !== undefined ? { tags: input.data.tags } : {}),
         },
       });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "Client",
+        entityId: updated.id,
+        entityName: updated.name,
+        action: "UPDATE",
+        userId: ctx.dbUser?.id,
+        before,
+        after: updated as unknown as Record<string, unknown>,
+        source: "ui",
+      });
+
+      return updated;
     }),
 
   deactivate: managerProcedure
     .input(z.object({ id: z.string() }))
     .mutation(async ({ ctx, input }) => {
-      return ctx.db.client.update({
+      const updated = await ctx.db.client.update({
         where: { id: input.id },
         data: { isActive: false },
       });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "Client",
+        entityId: updated.id,
+        entityName: updated.name,
+        action: "UPDATE",
+        userId: ctx.dbUser?.id,
+        before: { isActive: true },
+        after: { isActive: false },
+        source: "ui",
+        summary: "Deactivated Client",
+      });
+
+      return updated;
     }),
 
   delete: adminProcedure
@@ -167,7 +212,20 @@ export const clientRouter = createTRPCRouter({
           message: `Cannot delete client with ${client._count.children} child client(s). Remove children first.`,
         });
       }
-      return ctx.db.client.delete({ where: { id: input.id } });
+      await ctx.db.client.delete({ where: { id: input.id } });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "Client",
+        entityId: client.id,
+        entityName: client.name,
+        action: "DELETE",
+        userId: ctx.dbUser?.id,
+        before: client as unknown as Record<string, unknown>,
+        source: "ui",
+      });
+
+      return client;
     }),
 
   batchUpdateSortOrder: managerProcedure
@@ -181,6 +239,20 @@ export const clientRouter = createTRPCRouter({
           }),
         ),
       );
+
+      for (const item of input) {
+        void createAuditEntry({
+          db: ctx.db,
+          entityType: "Client",
+          entityId: item.id,
+          action: "UPDATE",
+          userId: ctx.dbUser?.id,
+          after: { sortOrder: item.sortOrder },
+          source: "ui",
+          summary: "Updated sort order",
+        });
+      }
+
       return { ok: true };
     }),
 });