fix(backend): stop seeding the audit-writer role via postgres-init (MA1)

Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql`
hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted
into the dev Postgres container; on prod boxes this risks lingering as the
real credential.

- The init script was removed in the previous commit alongside the dropped
  scripts dir.
- `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d`
  directory; the audit-writer role provisioning is the Ansible playbook's
  responsibility (D-010).
- `backend/README.md` documents the manual one-shot `CREATE ROLE` command
  for local dev with a placeholder password.

Net effect: no `CHANGE_ME` credential reaches a container image / git history.
The Alembic migration's `audit_log` grant block stays idempotent — it is a
no-op when the role is absent.

backend/docker-compose.yml

@@ -11,7 +11,11 @@ services:
       - "127.0.0.1:5432:5432"
     volumes:
       - mimic_pgdata:/var/lib/postgresql/data
-      - ./scripts/postgres-init:/docker-entrypoint-initdb.d:ro
+    # The `mimic_audit_writer` role is provisioned by the Ansible playbook
+    # in prod (D-010). For dev, create it manually after `make db-up`:
+    #   docker exec -it mimic-postgres psql -U mimic_app -d mimic \
+    #     -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD '<choose one>';"
+    # Then expose the same secret in MIMIC_DATABASE_AUDIT_URL in your .env.
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER:-mimic_app} -d ${POSTGRES_DB:-mimic}"]
       interval: 5s