chore(backend): bootstrap Python 3.12+ project skeleton (B0.1)

- pyproject.toml with ruff + mypy strict + pytest + coverage >=70%
- Makefile with Docker/Podman auto-detect
- Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user)
- docker-compose.yml for Postgres dev DB
- alembic.ini wired to src/mimic/db/migrations
- scripts/postgres-init/00-roles.sql seeds the audit writer role
- .env.example documents every MIMIC_* var (no secrets committed)

backend/scripts/postgres-init/00-roles.sql

@@ -0,0 +1,20 @@
+-- Roles used by the application.
+-- NF-AUDIT: audit_log must be append-only at the SQL level. The application
+-- writes via mimic_audit_writer (INSERT only). The standard mimic_app role
+-- has SELECT on audit_log but no UPDATE/DELETE.
+--
+-- This file runs once at container init. Production deployment uses Ansible
+-- to apply the same grants idempotently.
+
+DO $$
+BEGIN
+    IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'mimic_audit_writer') THEN
+        CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'CHANGE_ME';
+    END IF;
+END
+$$;
+
+-- The mimic_app user is created by the official image entrypoint
+-- via $POSTGRES_USER. We only need to make sure the audit writer exists.
+-- Per-table grants are applied by the application's bootstrap step after
+-- migrations land (so the audit_log table actually exists).