agent: log accept/complete on backup jobs; audit: populate host.enrolled payload

Two warts surfaced during the smoke run:

- Agent was silent between "config.update applied" and "job
  finished" — operators tailing journalctl saw no acknowledgement
  that a command.run had landed. Adds Info logs at job-accept
  ({job_id, paths}) and at successful completion.

- The host.enrolled audit row had an empty {} payload. Now
  carries {hostname, os, arch, has_repo_creds} so an audit-log
  reader can answer "what got enrolled and did the operator
  bundle creds with the token" without joining back to hosts.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/server/http/enrollment.go

@@ -146,6 +146,17 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
 		}
 	}
 
+	auditPayload, _ := json.Marshal(struct {
+		Hostname     string `json:"hostname"`
+		OS           string `json:"os"`
+		Arch         string `json:"arch"`
+		HasRepoCreds bool   `json:"has_repo_creds"`
+	}{
+		Hostname:     host.Name,
+		OS:           host.OS,
+		Arch:         host.Arch,
+		HasRepoCreds: encForHost != "",
+	})
 	_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
 		ID:         ulid.Make().String(),
 		Actor:      "system",
@@ -153,6 +164,7 @@ func (s *Server) handleAgentEnroll(w stdhttp.ResponseWriter, r *stdhttp.Request)
 		TargetKind: ptr("host"),
 		TargetID:   &hostID,
 		TS:         host.EnrolledAt,
+		Payload:    auditPayload,
 	})
 
 	writeJSON(w, stdhttp.StatusCreated, enrollResponse{