feat: expanded health checks, deploy filtering, per-project notifications, error sanitization, and audit trail

- Expand health endpoint to check DB, Docker, and NPM connectivity (FUNC-M4)
- Add project_id, stage_id, offset query params to deploys endpoint (FUNC-M5, FUNC-M6)
- Add notification_url field to Stage model for per-project overrides (FUNC-M2)
- Add NPM Ping method for health checking
- Sanitize all internal error messages in API handlers (SEC-M4)
- Add audit trail events for admin actions (FUNC-M3)
- Add EventLog event type to event bus

internal/npm/client.go

@@ -37,6 +37,23 @@ func New(baseURL string) *Client {
 	}
 }
 
+// Ping checks basic connectivity to the NPM API by issuing a lightweight GET request.
+func (c *Client) Ping(ctx context.Context) error {
+	if c.baseURL == "" {
+		return fmt.Errorf("npm base URL not configured")
+	}
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, c.baseURL+"/", nil)
+	if err != nil {
+		return fmt.Errorf("create ping request: %w", err)
+	}
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return fmt.Errorf("npm ping: %w", err)
+	}
+	resp.Body.Close()
+	return nil
+}
+
 // Authenticate obtains a JWT from the NPM API and caches it for future requests.
 // The credentials are also stored so the client can re-authenticate automatically on 401.
 func (c *Client) Authenticate(ctx context.Context, email, password string) error {