feat: track auth flow

[lwin-kyaw]

Jira Link

https://consensyssoftware.atlassian.net/browse/EMBED-226

Description

This PR adds Citadel auth flow audit reporting around the share retrieval flow so auth-related events can be correlated with a shared recordId. It also extends the public request interfaces to carry the analytics metadata needed for grouped and provider-based auth flows.

Changes

• add CitadelAuthFlowAuditParams and CitadelAuditParams in src/helpers/citadelUtils.ts
• add buildAuditPayload() and callAuditApi() to send audit data to the new /v1/user/audit endpoint
• update Torus.retrieveShares() to generate or reuse a recordId across the flow
• update Torus.retrieveShares() to report auth flow audit events during the retrieve/login lifecycle
• keep signer allow tracking aligned with the same recordId used during share retrieval
• update Torus.importPrivateKey() to accept and reuse an optional recordId
• extend VerifierParams with sub_verifier_ids
• extend RetrieveSharesParams with authConnection
• extend RetrieveSharesParams with recordId
• extend ImportKeyParams with recordId

How has this been tested?

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

Note

Medium Risk
Adds new Citadel audit/allow tracking calls and propagates a shared recordId through share-retrieval/import flows, which introduces new network requests and changes request interfaces used by consumers.

Overview
Adds Citadel auth-flow auditing around share retrieval by introducing a new /v1/auth/audit PUT report path and expanding the existing signer allow tracking to use explicit OAuth step flags.

retrieveShares and importPrivateKey now generate or reuse a caller-supplied recordId and report verification success/failure via either the allow API (no recordId provided) or the new audit API (when recordId is provided). Public interfaces are extended to carry analytics metadata (RetrieveSharesParams.authConnection, *.recordId, and VerifierParams.sub_verifier_ids).

^{Written by Cursor Bugbot for commit c3c05b9. This will update automatically on new commits. Configure here.}

[lwin-kyaw]

This PR depends on the citadel-server PR, https://github.com/Web3Auth/citadel-server/pull/32 and need to deploy the citadel before merging this.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[lwin-kyaw]

OAuth login initiated

OAuth login completed -> verification completed

OAuth login completed -> verification failed