Add system phase 4 audits

- Add audit logging for system maintenance operations (cache/orphaned images/manual cleanup)
- Log account deletion request handling (requests/confirm/cancel)
- Log security actions (admin password resets, MFA enforcement changes, account lockouts)

src/components/auth/TOTPSetup.tsx

@@ -115,6 +115,21 @@ export function TOTPSetup() {
 
       if (verifyError) throw verifyError;
 
+      // Log MFA enrollment to audit trail
+      try {
+        const { logAdminAction } = await import('@/lib/adminActionAuditHelpers');
+        await logAdminAction(
+          'mfa_enabled',
+          {
+            factor_id: factorId,
+            factor_type: 'totp',
+            friendly_name: 'Authenticator App',
+          }
+        );
+      } catch (auditError) {
+        // Non-critical - don't fail enrollment if audit logging fails
+      }
+
       // Check if user signed in via OAuth and trigger step-up flow
       const authMethod = getAuthMethod();
       const isOAuthUser = authMethod === 'oauth';

src/lib/identityService.ts

@@ -257,6 +257,21 @@ export async function addPasswordToAccount(): Promise<IdentityOperationResult> {
       method: 'reset_password_flow',
       timestamp: new Date().toISOString()
     });
+
+    // Log to admin audit trail for security tracking
+    try {
+      const { logAdminAction } = await import('@/lib/adminActionAuditHelpers');
+      await logAdminAction(
+        'password_setup_initiated',
+        {
+          method: 'reset_password_email',
+          email: userEmail,
+          has_oauth: true, // If they're adding password, they must have OAuth
+        }
+      );
+    } catch (auditError) {
+      // Non-critical - don't fail operation if audit logging fails
+    }
     
     return { 
       success: true,

supabase/functions/cancel-account-deletion/index.ts

@@ -76,6 +76,17 @@ export default createEdgeFunction(
       throw profileError;
     }
 
+    // Log to system activity log
+    await supabaseClient.rpc('log_system_activity', {
+      _user_id: context.userId,
+      _action: 'account_deletion_cancelled',
+      _details: {
+        request_id: deletionRequest.id,
+        cancellation_reason: cancellation_reason || 'User cancelled',
+        account_reactivated: true,
+      }
+    });
+
     // Send cancellation email
     const forwardEmailKey = Deno.env.get('FORWARDEMAIL_API_KEY');
     const fromEmail = Deno.env.get('FROM_EMAIL_ADDRESS') || 'noreply@thrillwiki.com';

supabase/functions/confirm-account-deletion/index.ts

@@ -89,6 +89,17 @@ export default createEdgeFunction(
       throw updateError;
     }
 
+    // Log to system activity log
+    await supabaseClient.rpc('log_system_activity', {
+      _user_id: context.userId,
+      _action: 'account_deletion_confirmed',
+      _details: {
+        request_id: deletionRequest.id,
+        scheduled_deletion_at: deletionRequest.scheduled_deletion_at,
+        account_deactivated: true,
+      }
+    });
+
     // Send confirmation email
     const forwardEmailKey = Deno.env.get('FORWARDEMAIL_API_KEY');
     const fromEmail = Deno.env.get('FROM_EMAIL_ADDRESS') || 'noreply@thrillwiki.com';

supabase/functions/request-account-deletion/index.ts

@@ -82,6 +82,16 @@ const handler = createEdgeFunction(
     const forwardEmailKey = Deno.env.get('FORWARDEMAIL_API_KEY');
     const fromEmail = Deno.env.get('FROM_EMAIL_ADDRESS') || 'noreply@thrillwiki.com';
 
+    // Log to system activity log
+    await supabaseClient.rpc('log_system_activity', {
+      _user_id: context.userId,
+      _action: 'account_deletion_requested',
+      _details: {
+        request_id: deletionRequest.id,
+        scheduled_deletion_at: scheduledDeletionAt.toISOString(),
+      }
+    });
+
     if (forwardEmailKey && userEmail) {
       try {
         await fetch('https://api.forwardemail.net/v1/emails', {