security(csv-export): harden mnemonic export with super admin, audit, watermark (#48)

- Add SUPER_ADMIN_IDS config (fallback to ADMIN_IDS if not set)
- Add isSuperAdmin() to middleware/auth.js
- Create auditService.js for structured audit logging (DB + pino)
- Create migration 005_audit_log.js
- Add confirmation dialog before CSV export (confirm_export_ callback)
- Check isSuperAdmin before export — block non-super admins
- Audit log every export: admin ID, wallet type, wallet count
- Add exported_by watermark column to CSV with admin telegram ID
- Notify all other super admins when export occurs
- Add SUPER_ADMIN_IDS to .env.example

8 files changed, 154 insertions, 39 deletions

src/middleware/auth.js

@@ -3,3 +3,7 @@ import config from '../config/config.js';
 export function isAdmin(userId) {
   return config.ADMIN_IDS.includes(userId.toString());
 }
+
+export function isSuperAdmin(userId) {
+  return config.SUPER_ADMIN_IDS.includes(userId.toString());
+}