chore(backend): deprecation sweep — Pydantic V1 -> V2, utcnow -> tz-aware

Two low-risk Pydantic V1 idioms that will be hard errors in V3:
  - Query(regex=...) -> Query(pattern=...) (audit_routes, control_generator_routes)
  - class Config: from_attributes=True -> model_config = ConfigDict(...)
    in source_policy_router.py (schemas.py is intentionally skipped — it is
    the Phase 1 schema-split target and the ConfigDict conversion is most
    efficient to do during that split).

Naive -> aware datetime sweep across 47 files:
  - datetime.utcnow() -> datetime.now(timezone.utc)
  - default=datetime.utcnow -> default=lambda: datetime.now(timezone.utc)
  - onupdate=datetime.utcnow -> onupdate=lambda: datetime.now(timezone.utc)

All SQLAlchemy DateTime columns in the project already declare
timezone=True, so the DB schema expects aware datetimes. Before this
commit, the in-Python side was generating naive values and the driver
was silently coercing them. This is a latent-bug fix, not a behavior
change at the DB boundary.

Verified:
  - 173/173 pytest compliance/tests/ pass (same as baseline)
  - tests/contracts/test_openapi_baseline.py passes (360 paths,
    484 operations unchanged)
  - DeprecationWarning count dropped from 158 -> 35

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend-compliance/compliance/api/audit_routes.py

@@ -9,7 +9,7 @@ Endpoints:
 """
 
 import logging
-from datetime import datetime
+from datetime import datetime, timezone
 from typing import Optional, List
 from uuid import uuid4
 import hashlib
@@ -204,7 +204,7 @@ async def start_audit_session(
         )
 
     session.status = AuditSessionStatusEnum.IN_PROGRESS
-    session.started_at = datetime.utcnow()
+    session.started_at = datetime.now(timezone.utc)
     db.commit()
 
     return {"success": True, "message": "Audit session started", "status": "in_progress"}
@@ -229,7 +229,7 @@ async def complete_audit_session(
         )
 
     session.status = AuditSessionStatusEnum.COMPLETED
-    session.completed_at = datetime.utcnow()
+    session.completed_at = datetime.now(timezone.utc)
     db.commit()
 
     return {"success": True, "message": "Audit session completed", "status": "completed"}
@@ -482,7 +482,7 @@ async def sign_off_item(
         # Update existing sign-off
         signoff.result = result_enum
         signoff.notes = request.notes
-        signoff.updated_at = datetime.utcnow()
+        signoff.updated_at = datetime.now(timezone.utc)
     else:
         # Create new sign-off
         signoff = AuditSignOffDB(
@@ -497,11 +497,11 @@ async def sign_off_item(
     # Create digital signature if requested
     signature = None
     if request.sign:
-        timestamp = datetime.utcnow().isoformat()
+        timestamp = datetime.now(timezone.utc).isoformat()
         data = f"{result_enum.value}|{requirement_id}|{session.auditor_name}|{timestamp}"
         signature = hashlib.sha256(data.encode()).hexdigest()
         signoff.signature_hash = signature
-        signoff.signed_at = datetime.utcnow()
+        signoff.signed_at = datetime.now(timezone.utc)
         signoff.signed_by = session.auditor_name
 
     # Update session statistics
@@ -523,7 +523,7 @@ async def sign_off_item(
     # Auto-start session if this is the first sign-off
     if session.status == AuditSessionStatusEnum.DRAFT:
         session.status = AuditSessionStatusEnum.IN_PROGRESS
-        session.started_at = datetime.utcnow()
+        session.started_at = datetime.now(timezone.utc)
 
     db.commit()
     db.refresh(signoff)
@@ -587,7 +587,7 @@ async def get_sign_off(
 @router.get("/sessions/{session_id}/report/pdf")
 async def generate_audit_pdf_report(
     session_id: str,
-    language: str = Query("de", regex="^(de|en)$"),
+    language: str = Query("de", pattern="^(de|en)$"),
     include_signatures: bool = Query(True),
     db: Session = Depends(get_db),
 ):