fix: harden logging quality auditor correctness

[gbasin]

Summary

This iteration addresses reviewer feedback from PR #82 by fixing correctness gaps in the logging auditor so real violations are not missed, while preserving the backend logging quality bar established in prior iterations.

Scope

• Server runtime logging audit only (src/server/**)
• Excludes client/UI logging and test files
• CI-friendly deterministic auditor output via bun run audit:logging

What changed

• Hardened auditor behavior in src/server/loggingAudit.ts:
  • Catch logging detection no longer treats logger calls inside nested functions/classes as satisfying outer catches.
  • Intentional suppression now requires comment tokens; string literal occurrences no longer suppress findings.
  • Logger call detection now supports bracket-property forms (for example logger['warn'](...)).
  • Missing error-context checks for warn/error logs now evaluate non-object payloads heuristically for real error signal.
  • Spread payloads no longer auto-pass unless the spread expression itself carries error signal.
  • Event-name parsing now handles simple static string concatenation in addition to literals/template literals.
• Added/updated regression tests in src/server/__tests__/loggingAudit.test.ts for each corrected behavior.

Validation

• bun run lint
• bun run typecheck
• bun run test
• bun run audit:logging

Result:

• logging_audit scanned_files=36 high=0 medium=0 low=0
• logging_audit_result clean

Context

Prior audit/remediation work remains included from earlier iterations (PR #81/#82): server error-path logging coverage, audit command/docs, and structured logging contract.