fix: auditor immer globalen Index nutzen, tenant_id ignorieren

auditor-Rolle hat evtl. tenant_id gesetzt (historisch), soll aber
trotzdem immer den globalen Index durchsuchen und nur No-Tenant-Mails
sehen. tenant_id auf auditor-User per DB-Migration auf NULL gesetzt.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/api/search_handlers.go

@@ -94,10 +94,12 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) {
 
 	// PROJ-21 Phase 4: Use per-tenant index when available; fall back to
 	// global index + post-filter when the tenant index manager is not wired.
+	// auditor always uses the global index — they see no-tenant mails only,
+	// regardless of any tenant_id on their user record.
 	tenantID := tenantFromCtx(r.Context())
 	searchIdx := s.idx
 	usedTenantIndex := false
-	if s.idxMgr != nil && tenantID != nil {
+	if s.idxMgr != nil && tenantID != nil && sess.Role != userstore.RoleAuditor {
 		searchIdx = s.idxMgr.ForTenant(tenantID)
 		usedTenantIndex = true
 	}
@@ -111,7 +113,7 @@ func (s *Server) handleSearch(w http.ResponseWriter, r *http.Request) {
 	// Fallback tenant isolation: post-filter when we used the global index
 	// but the user belongs to a tenant. This is the legacy path; the per-tenant
 	// index path above makes this unnecessary.
-	if tenantID != nil && !usedTenantIndex && len(result.Hits) > 0 {
+	if tenantID != nil && !usedTenantIndex && len(result.Hits) > 0 && sess.Role != userstore.RoleAuditor {
 		allowedIDs, idErr := s.store.GetAllIDsByTenant(r.Context(), tenantID)
 		if idErr == nil {
 			allowed := make(map[string]struct{}, len(allowedIDs))