Implement Phase 1 audit logging

Add centralized admin action logger and integrate logging for:
- Alert resolutions (system, rate limit, grouped)
- Role grants/revokes in UserRoleManager
- Incident creation/acknowledgement/resolution
- Moderation lock overrides

Includes file updates and usage across relevant components to ensure consistent audit trails.

src/components/admin/PipelineHealthAlerts.tsx

@@ -16,6 +16,7 @@ import { supabase } from '@/lib/supabaseClient';
 import { toast } from 'sonner';
 import { useQueryClient } from '@tanstack/react-query';
 import { queryKeys } from '@/lib/queryKeys';
+import { logAdminAction } from '@/lib/adminActionAuditHelpers';
 
 const SEVERITY_CONFIG = {
   critical: { color: 'destructive', icon: XCircle },
@@ -58,6 +59,9 @@ export function PipelineHealthAlerts() {
     setResolvingAlertId(alertId);
     
     try {
+      // Fetch alert details before resolving
+      const alertToResolve = allAlerts.find(a => a.id === alertId);
+      
       const { error } = await supabase
         .from('system_alerts')
         .update({ resolved_at: new Date().toISOString() })
@@ -72,6 +76,17 @@ export function PipelineHealthAlerts() {
       console.log('✅ Alert resolved successfully');
       toast.success('Alert resolved');
       
+      // Log to audit trail
+      if (alertToResolve) {
+        await logAdminAction('system_alert_resolved', {
+          alert_id: alertToResolve.id,
+          alert_type: alertToResolve.alert_type,
+          severity: alertToResolve.severity,
+          message: alertToResolve.message,
+          metadata: alertToResolve.metadata,
+        });
+      }
+      
       // Invalidate all system-alerts queries (critical, high, medium, etc.)
       await Promise.all([
         queryClient.invalidateQueries({ queryKey: ['system-alerts'] }),