Integrate security alerts with SIEM and on-call escalation

Follow-up from in-app security alerting implementation. Remaining infrastructure work: forward SecurityAlert/AuditLog events to SIEM (e.g., Sentinel/Splunk), configure high-severity alert routing to on-call, define incident runbooks, and enforce retention/immutability policies for SOC 2 evidence.