Allow users to view their scoped audit logs

[beubax]

Summary

Allow individual non-admin users to view audit log entries that are scoped only to their own principal, identities, vaults, and credential activity.

Motivation

Users should be able to answer basic account-security questions without admin access: which identities claimed their account, which vault actions happened, which provider connections changed, and when sensitive credential lifecycle events occurred.

Scope

• Add a user-facing audit log view in the dashboard.
• Add or expose a server API that returns only audit events the authenticated principal is authorized to see.
• Scope results to the current principal and related identities/vaults only.
• Prevent access to global, admin-only, or other-principal audit events.
• Include filtering/pagination sufficient for routine review, such as event type, provider, identity, and time range.
• Keep admin/global audit views separate from this user-scoped view.

Acceptance Criteria

• A non-admin user can view their own audit events in the UI.
• A non-admin user cannot retrieve another principal's events by guessing IDs or changing query parameters.
• Admin-only/global audit details are not leaked through this endpoint or UI.
• Results are paginated and sorted newest-first by default.
• Tests cover scoping behavior for at least two principals with overlapping providers or identities.
• Audit log behavior remains compatible with the existing Store-backed audit registry.

Notes

• Treat audit scoping as server-side authorization logic, not only UI filtering.
• Prefer extending the existing audit registry/query surface over duplicating audit storage.