feat(06.2): log attempted email on failed login and surface it in audit log

- auth.py: store attempted_email in metadata_ and link user_id when the account exists (wrong password case); previously logged no PII at all
- AuditLogTab: Email column falls back to metadata_.attempted_email in amber with "(attempted)" label when no confirmed user_email is available

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/api/auth.py

@@ -232,15 +232,14 @@ async def login(
 
     # Verify password (anti-enumeration: same error regardless of whether user exists)
     if user is None or not auth_service.verify_password(body.password, user.password_hash):
-        # D-13: log login failure WITHOUT PII (no email, no password) — T-04-07-01
         await write_audit_log(
             session,
             event_type="auth.login_failed",
-            user_id=None,
-            actor_id=None,
+            user_id=user.id if user else None,
+            actor_id=user.id if user else None,
             resource_id=None,
             ip_address=_ip,
-            metadata_=None,
+            metadata_={"attempted_email": str(body.email)},
         )
         await session.commit()
         raise HTTPException(