feat(PROJ-44): GET /api/mails/{id}/ocr-text + Audit-Event

Neuer Endpoint liefert den OCR-extrahierten Reintext als text/plain
mit Content-Disposition. ACL identisch zu /raw (Tenant-Isolation,
Auditor-Regeln, User-Ownership-Check). Status-Mapping:
  done + chars>0 -> 200, attachment "<id16>.ocr.txt"
  pending        -> 202 JSON {"error":"ocr_pending"}
  skipped/failed/disabled/empty -> 404 JSON {"error":"ocr_not_available"}
Jeder erfolgreiche Download landet im Audit-Log als mail:ocr_download.

internal/api/server.go

@@ -215,6 +215,8 @@ func (s *Server) routes() {
 	s.mux.HandleFunc("GET /api/mails/{id}/attachments/{index}", s.auth(s.requireMailAccess(s.handleGetAttachment)))
 	s.mux.HandleFunc("GET /api/threads/{threadID}", s.auth(s.handleGetThread))
 	s.mux.HandleFunc("GET /api/mails/{id}/raw", s.auth(s.requireMailAccess(s.handleGetRaw)))
+	// PROJ-44: OCR-Text-Download — gleicher ACL-Pfad wie /raw.
+	s.mux.HandleFunc("GET /api/mails/{id}/ocr-text", s.auth(s.requireMailAccess(s.handleGetOCRText)))
 	s.mux.HandleFunc("GET /api/admin/services", s.authAdmin(s.handleListServices))
 	s.mux.HandleFunc("POST /api/admin/services/{name}/action", s.authAdmin(s.handleServiceAction))