feat: P6 operacni viditelnost - audit log prohlizec, cleanup script

- audit-log.php: API endpoint s filtrovanim (akce, entita, datum, hledani) a stranovanim
- AuditLog.jsx: stranka s tabulkou, filtry, pagination, skeleton loading
- Sidebar: polozka "Audit log" pod Systemem (settings.audit permission)
- cleanup.php: CLI script - maze rate limit soubory >24h a audit log >90 dni
- Migrace: settings.audit permission

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

api/admin/audit-log.php

@@ -0,0 +1,62 @@
+<?php
+
+/**
+ * Audit Log API - prohlížení audit logu
+ *
+ * GET /api/admin/audit-log.php
+ *   ?page=1&per_page=50&search=&action=&entity_type=&date_from=&date_to=
+ */
+
+declare(strict_types=1);
+
+require_once dirname(__DIR__) . '/config.php';
+require_once dirname(__DIR__) . '/includes/JWTAuth.php';
+require_once dirname(__DIR__) . '/includes/AuditLog.php';
+
+setCorsHeaders();
+setSecurityHeaders();
+setNoCacheHeaders();
+header('Content-Type: application/json; charset=utf-8');
+
+$authData = JWTAuth::requireAuth();
+AuditLog::setUser($authData['user_id'], $authData['user']['username'] ?? 'unknown');
+
+if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+    http_response_code(204);
+    exit;
+}
+
+if ($_SERVER['REQUEST_METHOD'] !== 'GET') {
+    errorResponse('Method not allowed', 405);
+}
+
+requirePermission($authData, 'settings.audit');
+
+$page = max(1, (int) ($_GET['page'] ?? 1));
+$perPage = max(1, min(100, (int) ($_GET['per_page'] ?? 50)));
+
+$filters = [];
+
+if (!empty($_GET['search'])) {
+    $filters['search'] = (string) $_GET['search'];
+}
+
+if (!empty($_GET['action'])) {
+    $filters['action'] = (string) $_GET['action'];
+}
+
+if (!empty($_GET['entity_type'])) {
+    $filters['entity_type'] = (string) $_GET['entity_type'];
+}
+
+if (!empty($_GET['date_from'])) {
+    $filters['date_from'] = (string) $_GET['date_from'];
+}
+
+if (!empty($_GET['date_to'])) {
+    $filters['date_to'] = (string) $_GET['date_to'];
+}
+
+$result = AuditLog::getLogs($filters, $page, $perPage);
+
+successResponse($result);

api/cleanup.php

@@ -0,0 +1,58 @@
+<?php
+
+/**
+ * Cleanup CLI script - maze stare rate limit soubory a audit log zaznamy.
+ *
+ * Pouziti: php api/cleanup.php
+ * Doporuceny cron: 0 3 * * * php /path/to/api/cleanup.php
+ */
+
+declare(strict_types=1);
+
+if (php_sapi_name() !== 'cli') {
+    http_response_code(403);
+    echo 'Pouze CLI';
+    exit(1);
+}
+
+require_once __DIR__ . '/config.php';
+
+$rateLimitDir = __DIR__ . '/rate_limits';
+$rateLimitMaxAge = 24 * 60 * 60; // 24 hodin
+$auditLogMaxDays = 90;
+
+$deleted = 0;
+$errors = 0;
+
+// Rate limit soubory starsi 24h
+if (is_dir($rateLimitDir)) {
+    $now = time();
+    $files = glob($rateLimitDir . '/*.json');
+    if ($files !== false) {
+        foreach ($files as $file) {
+            $age = $now - filemtime($file);
+            if ($age > $rateLimitMaxAge) {
+                if (unlink($file)) {
+                    $deleted++;
+                } else {
+                    $errors++;
+                }
+            }
+        }
+    }
+}
+
+echo "Rate limits: smazano {$deleted} souboru" . ($errors > 0 ? " ({$errors} chyb)" : '') . "\n";
+
+// Audit log zaznamy starsi 90 dni
+try {
+    $pdo = db();
+    $stmt = $pdo->prepare(
+        'DELETE FROM audit_logs WHERE created_at < DATE_SUB(NOW(), INTERVAL ? DAY)'
+    );
+    $stmt->execute([$auditLogMaxDays]);
+    $auditDeleted = $stmt->rowCount();
+    echo "Audit log: smazano {$auditDeleted} zaznamu starsich {$auditLogMaxDays} dni\n";
+} catch (PDOException $e) {
+    echo "Audit log: chyba - {$e->getMessage()}\n";
+}