add office-aware passport policies and alert lifecycle

Enforce geofenced location evidence for passport challenges and extend admin alerting so mobile devices can review, dismiss, and act on real org and security events.

test/test.passport.node.ts

@@ -275,6 +275,14 @@ tap.test('creates and approves a passport challenge with DER signatures and evid
       notificationTitle: 'Office entry request',
       requireLocation: true,
       requireNfc: true,
+      locationPolicy: {
+        mode: 'geofence',
+        label: 'HQ Berlin',
+        latitude: 53.0793,
+        longitude: 8.8017,
+        radiusMeters: 80,
+        maxAccuracyMeters: 25,
+      },
     });
 
     expect(deliveredHintIds).toHaveLength(1);
@@ -286,6 +294,15 @@ tap.test('creates and approves a passport challenge with DER signatures and evid
         deviceId: passportDevice.id,
         signatureBase64: signer.sign(challengeResult.signingPayload),
         signatureFormat: 'der',
+        location: {
+          latitude: 53.5,
+          longitude: 8.1,
+          accuracyMeters: 12,
+          capturedAt: Date.now(),
+        },
+        nfc: {
+          readerId: 'door-reader-a',
+        },
       })
     ).rejects.toThrow();
 
@@ -308,6 +325,7 @@ tap.test('creates and approves a passport challenge with DER signatures and evid
     expect(approvedChallenge.data.status).toEqual('approved');
     expect(approvedChallenge.data.evidence?.signatureFormat).toEqual('der');
     expect(approvedChallenge.data.evidence?.location?.accuracyMeters).toEqual(12);
+    expect(approvedChallenge.data.evidence?.locationEvaluation?.matched).toBeTrue();
     expect(approvedChallenge.data.evidence?.nfc?.readerId).toEqual('door-reader-a');
     expect(activityLogCalls.at(-1)?.action).toEqual('passport_challenge_approved');
   } finally {