refactor: unify request errors + add audit log middleware

[Destynova2]

Summary

• Replaces the AppError + ProviderError split with a single RequestError enum that carries the upstream HTTP status verbatim (502/503/504) instead of flattening every provider failure to a generic 502 body. New variants: BadRequest, Unauthorized, Forbidden, NotFound, ParseError, RoutingError, RateLimited{provider, retry_after_ms}, ProviderUpstream{provider, status, body}, BudgetExceeded{limit_usd, actual_usd}, DlpBlocked, AuthRevoked, Internal(anyhow::Error).
• RequestError::is_retryable() is the canonical retry classifier — removes three duplicate 429 detectors from dispatch/retry.rs and centralises the matcher.
• Adds an Axum audit-log middleware (audit_log_layer) that emits AuditEvent::RequestProcessed for every request — including OAuth, config, and error paths that previously bypassed audit entirely. De-dupes via the AuditedAlready response-extension marker so the dispatch pipeline (which writes a richer DLP/risk/token-aware entry) is the single source of truth on the hot path. Closes the audit gap that allowed silent model enumeration via DLP probes (EU AI Act Article 6 / PCI DSS 3.4).

The task brief asked for fix/preset-mod-include-str as the base; that branch was merged into main on 2026-04-27 and deleted, so the PR retargets main. The branch was rebased onto current main (2a5f744) so the diff is exactly the intended change set.

Test plan

• cargo check (default features, all features, no-default-features)
• cargo clippy --tests --all-targets -- -D warnings
• cargo fmt --check
• cargo nextest run — 1357/1357 tests pass on rebased branch
• 35 unit tests for RequestError::IntoResponse and is_retryable() covering every variant
• 9 integration tests for audit middleware (status codes, AuditedAlready de-dup, provider header, error variant tag, risk levels, anonymous fallback)
• 9 snapshot tests for error response JSON shapes

🤖 Generated with Claude Code