feat: ACN Application Security Standard V7.30 compliance (19/23 items)

CRITICAL — Authentication & Access:
- TOTP MFA: otpauth-based, QR setup UI, sign-in flow integration,
  admin disable override, /account/security self-service page
- Session Timeouts: 8h absolute (maxAge), 30min idle (updateAge)
- Failed Auth Logging: Pino warn for invalid password/user/totp,
  info for successful login, audit entries for all auth events
- Concurrent Session Limit: ActiveSession model, oldest-kick strategy,
  max 3 per user (configurable in SystemSettings)

CRITICAL — HTTP Security:
- HSTS: max-age=31536000; includeSubDomains
- CSP: script/style/img/font/connect-src with Gemini/OpenAI whitelist
- X-XSS-Protection: 0 (CSP replaces legacy)
- Auth page cache: no-store, no-cache, must-revalidate
- Rate Limiting: 100/15min general API, 5/15min auth (Map-based)

Data Protection:
- XSS Sanitization: DOMPurify on comment bodies
- autocomplete="new-password" on all password/secret fields
- SameSite=Strict on all cookies (Credentials-only, no OAuth)
- File Upload Magic Bytes validation (PNG/JPEG/WebP/GIF/BMP/TIFF)

Logging & Monitoring:
- Login/Logout audit entries (Auth entityType)
- External API call logging with timing (OpenAI, Gemini)
- Input validation failure logging at warn level
- Concurrent session tracking in ActiveSession table

Documentation:
- docs/security-architecture.md (11 sections)
- docs/sdlc.md (CI pipeline, security gates, incident response)
- .gitea/PULL_REQUEST_TEMPLATE.md (security checklist)

Schema: User.totpSecret/totpEnabled, SystemSettings.sessionMaxAge/
sessionIdleTimeout/maxConcurrentSessions, ActiveSession model

Tests: 310 engine + 37 staffing pass. TypeScript clean.

Co-Authored-By: claude-flow <ruv@ruv.net>

packages/api/src/router/resource.ts

@@ -1,4 +1,4 @@
-import { createAiClient, isAiConfigured } from "../ai-client.js";
+import { createAiClient, isAiConfigured, loggedAiCall } from "../ai-client.js";
 import {
   isChargeabilityActualBooking,
   isChargeabilityRelevantProject,
@@ -795,13 +795,16 @@ export const resourceRouter = createTRPCRouter({
       const maxTokens = settings!.aiMaxCompletionTokens ?? 300;
       const temperature = settings!.aiTemperature ?? 1;
 
+      const provider = settings!.aiProvider ?? "openai";
       async function callChatCompletions(withTemperature: boolean) {
-        return client.chat.completions.create({
-          messages: [{ role: "user", content: prompt }],
-          max_completion_tokens: maxTokens,
-          model,
-          ...(withTemperature && temperature !== 1 ? { temperature } : {}),
-        });
+        return loggedAiCall(provider, model, prompt.length, () =>
+          client.chat.completions.create({
+            messages: [{ role: "user", content: prompt }],
+            max_completion_tokens: maxTokens,
+            model,
+            ...(withTemperature && temperature !== 1 ? { temperature } : {}),
+          }),
+        );
       }
 
       let summary = "";