feat(PROJ-44): GET /api/mails/{id}/ocr-text + Audit-Event

Neuer Endpoint liefert den OCR-extrahierten Reintext als text/plain
mit Content-Disposition. ACL identisch zu /raw (Tenant-Isolation,
Auditor-Regeln, User-Ownership-Check). Status-Mapping:
  done + chars>0 -> 200, attachment "<id16>.ocr.txt"
  pending        -> 202 JSON {"error":"ocr_pending"}
  skipped/failed/disabled/empty -> 404 JSON {"error":"ocr_not_available"}
Jeder erfolgreiche Download landet im Audit-Log als mail:ocr_download.

internal/audit/audit.go

@@ -11,13 +11,14 @@ import (
 )
 
 const (
-	EventLogin    = "login"
-	EventLogout   = "logout"
-	EventSearch   = "search"
-	EventMailView = "mail_view"
-	EventImport   = "import"
-	EventExport   = "export"
-	EventUserMgmt = "user_mgmt"
+	EventLogin       = "login"
+	EventLogout      = "logout"
+	EventSearch      = "search"
+	EventMailView    = "mail_view"
+	EventImport      = "import"
+	EventExport      = "export"
+	EventUserMgmt    = "user_mgmt"
+	EventOCRDownload = "mail:ocr_download" // PROJ-44: extracted OCR text downloaded
 )
 
 // Entry is a single audit log record.