User account audit log

I put this here for comment, let me know what you think, or if you have additional idea.

Now that we have the per-user encrypted transaction log in iapi, I really want an audit log for user accounts. The audit events can be listed by the user and some of the more important ones should also generate a notification email.

Ideas for entries:

pw settings change (pw / app pw / 2fa)
security settings change: recovery email, recovery token displayed or mailed, pgp key changed
invite code created
services (resources) created / deleted
logins (where and how), this one probably with a short ttl, e.g. stored just for 1-2 weeks

maybe longterm (if we can implement it in a reasonable way):