Cloud audit ingest

When AI Actors operate via the cloud console or out-of-band tools, the SDK isn't in the path. Forward audit events from the source-of-truth (GCP Cloud Logging, AWS CloudTrail, Azure Activity Log, GitHub Webhooks) to `POST /v1/audit/ingest` and BlackLake correlates them against known actors + tools. The cloud-audit capture path produces `source: cloud_audit` rows on `/v1/insights/coverage` and surfaces uncovered actions on `/v1/audit/uncovered` — the actions BlackLake observed but couldn't tie to a governed evaluation.