feat(auditlog): FallbackAuditWriter compose SQLite + ring + failure counter (#23)

Adds the IAuditWriter composer that sits between the script-side
ScriptRuntimeContext audit emission (Bundle F) and the primary
SqliteAuditWriter. Honours the alog.md §7 guarantee that audit-write
failures NEVER abort the user-facing action:

- Primary throw -> log Warning, increment IAuditWriteFailureCounter
  (Bundle G's health-metric sink), stash the event in the drop-oldest
  RingBufferFallback, return success to the caller.
- Primary success -> opportunistically drain the ring back through the
  primary in FIFO order, behind the triggering event. Drain is
  serialised via a SemaphoreSlim gate so concurrent recoveries don't
  double-replay; a drain-side re-throw re-enqueues at the tail and
  breaks out (the next successful write retries).

Adds IAuditWriteFailureCounter as the lightweight DI seam (one void
Increment()), and a TryDequeue helper on RingBufferFallback that the
recovery path uses to pop one item without blocking.

Tests (4 new, total 26 -> 30):
- WriteAsync_PrimaryThrows_EventLandsInRing_CallReturnsSuccess
- WriteAsync_PrimaryRecovers_RingDrains_InFIFOOrder_OnNextWrite
  (order: trigger first, then ring backlog in submission FIFO)
- WriteAsync_PrimaryAlwaysSucceeds_Ring_StaysEmpty
- WriteAsync_FailureCounter_Incremented_Per_PrimaryFailure

src/ScadaLink.AuditLog/Site/RingBufferFallback.cs

@@ -100,6 +100,13 @@ public sealed class RingBufferFallback
         }
     }
 
+    /// <summary>
+    /// Non-blocking single-item dequeue used by the
+    /// <see cref="FallbackAuditWriter"/> recovery path. Returns
+    /// <see langword="false"/> when the ring is empty.
+    /// </summary>
+    public bool TryDequeue(out AuditEvent evt) => _channel.Reader.TryRead(out evt!);
+
     /// <summary>
     /// Mark the ring as no-more-writes. <see cref="DrainAsync"/> will yield the
     /// remaining events and then complete.