Define audit log event tiers

[byapparov]

Phase 3 — Structured audit log

Not every bus event needs audit logging. Define clear tiers:

• Always audit: permission decisions, file writes/deletes, bash commands, network egress, auth changes, session create/delete
• Configurable: tool reads, message content, cost data, compaction events
• Never audit: streaming deltas, UI events, installation checks

This determines what the audit log sink subscribes to.