feat(batch17): add visibility-tiered snapshots across audit, usage, ops, and snapshot UI

[yangshu2087]

Batch-17 scope

This PR implements 快照权限分级 + 审计可见域控制 in three layers and keeps the rollout aligned with workspace roles.

Layer 1 — Audit + Usage visibility hardening

• add role-aware default workspace membership lookup for downstream permission decisions
• split audit records into visibility domains and filter them by role
• redact audit payloads when the current role should only see metadata
• tier usage/billing snapshots so sensitive billing, ledger, token, and cost fields are hidden when appropriate
• block credit adjustments for roles that should not manage billing
• surface hidden/redacted state in the existing /audit and /usage pages

Layer 2 — Ops visibility hardening

• add role-tiered /ops/queues visibility rules
• OWNER / ADMIN: full per-queue health including failed/delayed/paused
• EDITOR: per-queue visibility retained, but failure/delay/paused details redacted
• VIEWER: summary-only queue overview with per-queue details hidden
• wire the dashboard and the new /ops page to explain what is hidden for the current role

Layer 3 — Unified future snapshot page

• add /snapshot as a single read-only Batch-17 landing page
• aggregate the already visibility-aware usage, audit, and ops responses instead of adding a new backend snapshot contract
• show the current role posture and the access tier/scope for each surface
• provide fast links into the detailed pages (/usage, /audit, /ops)

Role behavior summary

Audit

• OWNER / ADMIN: full workspace records, full payload
• EDITOR: only operational domains, payload visible for visible domains
• VIEWER: only operational domains, payload hidden

Usage / billing snapshot

• OWNER / ADMIN: full snapshot, ledger details, cost details, credit management
• EDITOR: limited snapshot, costs visible, ledger details hidden, no credit management
• VIEWER: overview snapshot only, costs/details hidden, no credit management

Ops / queue health

• OWNER / ADMIN: full per-queue operational view
• EDITOR: per-queue overview without failure detail fields
• VIEWER: summary-only overview

Main files changed

• apps/api/src/common/workspace-context.service.ts
• apps/api/src/modules/audit/*
• apps/api/src/modules/usage/*
• apps/api/src/modules/ops/*
• apps/api/test/audit-visibility.test.ts
• apps/api/test/usage-visibility.test.ts
• apps/api/test/ops-visibility.test.ts
• packages/shared/src/types.ts
• apps/web/app/audit/page.tsx
• apps/web/app/usage/page.tsx
• apps/web/app/ops/page.tsx
• apps/web/app/snapshot/page.tsx
• apps/web/app/dashboard/page.tsx
• apps/web/components/shell/workbench-shell.tsx
• apps/web/lib/queries.ts

Verification

• npx pnpm --filter @draftorbit/db prisma:generate
• npx pnpm --filter @draftorbit/api test
• npx pnpm --filter @draftorbit/api typecheck
• npx pnpm --filter @draftorbit/web typecheck

Notes

• the unified /snapshot page is intentionally a read-only aggregator over existing visibility-aware endpoints
• no separate snapshot backend API was added in this PR