Reviewer decisions appended to tamper-evident audit chain

applyGateAction() now calls appendChainedAuditLog() on both approve and reject paths. Each row commits to the SHA-256 hash of the previous row (chained with pg_advisory_xact_lock). The verify-chain endpoint at GET /api/audit/verify-chain walks the full chain and returns ok, inspected, firstBreakAt. SOC2 auditors can verify the integrity of every reviewer decision.