feat: Activity History system — full audit coverage, UI, AI tools

Infrastructure (Phase 1):
- AuditLog schema: add source, entityName, summary fields + index
- createAuditEntry() helper: auto-diff, auto-summary, fire-and-forget
- auditLog query router: list, getByEntity, getTimeline, getActivitySummary

Audit Coverage (Phase 2 — 14 routers, 50+ mutations):
- vacation: create, approve, reject, cancel, batch ops (8 mutations)
- user: create, updateRole, setPermissions, resetPermissions (5 mutations)
- entitlement: set, bulkSet (3 mutations)
- client: create, update, delete, batchUpdateSortOrder
- org-unit: create, update, deactivate
- country: create, update, createCity, updateCity, deleteCity
- management-level: createGroup, updateGroup, createLevel, updateLevel, deleteLevel
- settings: updateSystemSettings (sensitive fields sanitized), testSmtp
- blueprint: create, update, updateRolePresets, delete, batchDelete, setGlobal
- rate-card: create, update, deactivate, addLine, updateLine, deleteLine, replaceLines
- calculation-rules: create, update, delete
- effort-rule: create, update, delete
- experience-multiplier: create, update, delete
- utilization-category: create, update

Admin UI (Phase 3):
- /admin/activity-log page with global searchable timeline
- Filters: entity type, action, user, date range, text search
- Expandable before/after diff view per entry
- Summary cards showing top entity types by change count
- EntityHistory reusable component for entity detail pages
- Sidebar nav link with clock icon

AI Assistant (Phase 4):
- query_change_history tool: "Who changed project X?"
- get_entity_timeline tool: "What happened to resource Y?"

Regression: 283 engine + 37 staffing tests pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>

packages/api/src/router/entitlement.ts

@@ -8,6 +8,7 @@ import { TRPCError } from "@trpc/server";
 import { z } from "zod";
 import { RESOURCE_BRIEF_SELECT } from "../db/selects.js";
 import { createTRPCRouter, adminProcedure, managerProcedure, protectedProcedure } from "../trpc.js";
+import { createAuditEntry } from "../lib/audit.js";
 
 /** Types that consume from annual leave balance */
 const BALANCE_TYPES: VacationType[] = [VacationType.ANNUAL, VacationType.OTHER];
@@ -189,12 +190,27 @@ export const entitlementRouter = createTRPCRouter({
         where: { resourceId_year: { resourceId: input.resourceId, year: input.year } },
       });
       if (existing) {
-        return ctx.db.vacationEntitlement.update({
+        const updated = await ctx.db.vacationEntitlement.update({
           where: { id: existing.id },
           data: { entitledDays: input.entitledDays },
         });
+
+        void createAuditEntry({
+          db: ctx.db,
+          entityType: "VacationEntitlement",
+          entityId: updated.id,
+          entityName: `Entitlement ${input.resourceId} / ${input.year}`,
+          action: "UPDATE",
+          ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+          before: existing as unknown as Record<string, unknown>,
+          after: updated as unknown as Record<string, unknown>,
+          source: "ui",
+          summary: `Updated entitlement from ${existing.entitledDays} to ${input.entitledDays} days (${input.year})`,
+        });
+
+        return updated;
       }
-      return ctx.db.vacationEntitlement.create({
+      const created = await ctx.db.vacationEntitlement.create({
         data: {
           resourceId: input.resourceId,
           year: input.year,
@@ -204,6 +220,20 @@ export const entitlementRouter = createTRPCRouter({
           pendingDays: 0,
         },
       });
+
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "VacationEntitlement",
+        entityId: created.id,
+        entityName: `Entitlement ${input.resourceId} / ${input.year}`,
+        action: "CREATE",
+        ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+        after: created as unknown as Record<string, unknown>,
+        source: "ui",
+        summary: `Set entitlement to ${input.entitledDays} days (${input.year})`,
+      });
+
+      return created;
     }),
 
   /**
@@ -244,6 +274,18 @@ export const entitlementRouter = createTRPCRouter({
         updated++;
       }
 
+      void createAuditEntry({
+        db: ctx.db,
+        entityType: "VacationEntitlement",
+        entityId: `bulk-${input.year}`,
+        entityName: `Bulk Entitlement ${input.year}`,
+        action: "UPDATE",
+        ...(ctx.dbUser?.id ? { userId: ctx.dbUser.id } : {}),
+        after: { year: input.year, entitledDays: input.entitledDays, resourceCount: updated } as unknown as Record<string, unknown>,
+        source: "ui",
+        summary: `Bulk set entitlement to ${input.entitledDays} days for ${updated} resources (${input.year})`,
+      });
+
       return { updated };
     }),