[Change] Enterprise RBAC and Audit Trail

[djm81]

Why

Once enterprise policy can be pushed into the client, SpecFact also needs role-aware actions and a signed audit trail for promotions, approvals, and overrides. Without those controls, enterprise governance would be opaque and untrustworthy.

What Changes

• NEW: enterprise-audit-trail capability defining enterprise roles, signed audit events, and local audit persistence.
• NEW: Canonical roles org-admin, team-lead, developer, and auditor with action-level expectations.
• NEW: Signed audit-event schema for rule pushes, promotions, approvals, overrides, and telemetry opt-in changes.
• EXTEND: Enterprise policy-resolution flow so resolved values can be linked back to audited actions.
• EXTEND: Future budget and distillation features so they can emit events through a shared audit contract.

Acceptance Criteria

• OpenSpec contracts for enterprise-02-rbac-and-audit-trail are complete and remain strict-validate clean.
• The enterprise rbac and audit trail scope is wired to its declared parent feature and dependent follow-up surfaces.
• No undocumented breaking change is introduced into existing review, policy, telemetry, or enterprise flows.

Dependencies

• Parent Feature: [Feature] Enterprise Policy, Audit & Chargeback #517
• Blocked by change: enterprise-01-policy-resolution-extension

Additional Context

• Depends on enterprise-01-policy-resolution-extension for enterprise value provenance.
• Supplies the contract reused by later enterprise drift and budget-governance changes, plus the module-side audit client.
• Adds audit visibility without changing free-tier workflows.

Capability Notes

New Capabilities

• enterprise-audit-trail: Enterprise roles and signed audit events for client-side governance actions.

Modified Capabilities

• enterprise-policy-resolution: Extend policy resolution with audit references for pushed and overridden values.

---

OpenSpec Change Proposal: enterprise-02-rbac-and-audit-trail