feat: append-only audit trail for all mutations (P0)

- Database: kanzlai.audit_log table with RLS, append-only policies
  (no UPDATE/DELETE), indexes for entity, user, and time queries
- Backend: AuditService.Log() with context-based tenant/user/IP/UA
  extraction, wired into all 7 services (case, deadline, appointment,
  document, note, party, tenant)
- API: GET /api/audit-log with entity_type, entity_id, user_id,
  from/to date, and pagination filters
- Frontend: Protokoll tab on case detail page with chronological
  audit entries, diff preview, and pagination

Required by § 50 BRAO and DSGVO Art. 5(2).

frontend/src/app/(app)/cases/[id]/layout.tsx

@@ -15,6 +15,7 @@ import {
   Users,
   StickyNote,
   AlertTriangle,
+  ScrollText,
 } from "lucide-react";
 import { format } from "date-fns";
 import { de } from "date-fns/locale";
@@ -44,6 +45,7 @@ const TABS = [
   { segment: "dokumente", label: "Dokumente", icon: FileText },
   { segment: "parteien", label: "Parteien", icon: Users },
   { segment: "notizen", label: "Notizen", icon: StickyNote },
+  { segment: "protokoll", label: "Protokoll", icon: ScrollText },
 ] as const;
 
 const TAB_LABELS: Record<string, string> = {
@@ -52,6 +54,7 @@ const TAB_LABELS: Record<string, string> = {
   dokumente: "Dokumente",
   parteien: "Parteien",
   notizen: "Notizen",
+  protokoll: "Protokoll",
 };
 
 function CaseDetailSkeleton() {