feat: append-only audit trail for all mutations (P0)

- Database: kanzlai.audit_log table with RLS, append-only policies
  (no UPDATE/DELETE), indexes for entity, user, and time queries
- Backend: AuditService.Log() with context-based tenant/user/IP/UA
  extraction, wired into all 7 services (case, deadline, appointment,
  document, note, party, tenant)
- API: GET /api/audit-log with entity_type, entity_id, user_id,
  from/to date, and pagination filters
- Frontend: Protokoll tab on case detail page with chronological
  audit entries, diff preview, and pagination

Required by § 50 BRAO and DSGVO Art. 5(2).

backend/internal/handlers/deadlines.go

@@ -113,7 +113,7 @@ func (h *DeadlineHandlers) Create(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	deadline, err := h.deadlines.Create(tenantID, input)
+	deadline, err := h.deadlines.Create(r.Context(), tenantID, input)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to create deadline")
 		return
@@ -142,7 +142,7 @@ func (h *DeadlineHandlers) Update(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	deadline, err := h.deadlines.Update(tenantID, deadlineID, input)
+	deadline, err := h.deadlines.Update(r.Context(), tenantID, deadlineID, input)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to update deadline")
 		return
@@ -169,7 +169,7 @@ func (h *DeadlineHandlers) Complete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	deadline, err := h.deadlines.Complete(tenantID, deadlineID)
+	deadline, err := h.deadlines.Complete(r.Context(), tenantID, deadlineID)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to complete deadline")
 		return
@@ -196,7 +196,7 @@ func (h *DeadlineHandlers) Delete(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	err = h.deadlines.Delete(tenantID, deadlineID)
+	err = h.deadlines.Delete(r.Context(), tenantID, deadlineID)
 	if err != nil {
 		writeError(w, http.StatusNotFound, err.Error())
 		return