chore(backend): deprecation sweep — Pydantic V1 -> V2, utcnow -> tz-aware

Two low-risk Pydantic V1 idioms that will be hard errors in V3:
  - Query(regex=...) -> Query(pattern=...) (audit_routes, control_generator_routes)
  - class Config: from_attributes=True -> model_config = ConfigDict(...)
    in source_policy_router.py (schemas.py is intentionally skipped — it is
    the Phase 1 schema-split target and the ConfigDict conversion is most
    efficient to do during that split).

Naive -> aware datetime sweep across 47 files:
  - datetime.utcnow() -> datetime.now(timezone.utc)
  - default=datetime.utcnow -> default=lambda: datetime.now(timezone.utc)
  - onupdate=datetime.utcnow -> onupdate=lambda: datetime.now(timezone.utc)

All SQLAlchemy DateTime columns in the project already declare
timezone=True, so the DB schema expects aware datetimes. Before this
commit, the in-Python side was generating naive values and the driver
was silently coercing them. This is a latent-bug fix, not a behavior
change at the DB boundary.

Verified:
  - 173/173 pytest compliance/tests/ pass (same as baseline)
  - tests/contracts/test_openapi_baseline.py passes (360 paths,
    484 operations unchanged)
  - DeprecationWarning count dropped from 158 -> 35

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

backend-compliance/tests/test_einwilligungen_routes.py

@@ -7,7 +7,7 @@ Consent widerrufen, Statistiken.
 
 import pytest
 from unittest.mock import MagicMock, patch
-from datetime import datetime
+from datetime import datetime, timezone
 import uuid
 
 
@@ -25,7 +25,7 @@ def make_catalog(tenant_id='test-tenant'):
     rec.tenant_id = tenant_id
     rec.selected_data_point_ids = ['dp-001', 'dp-002']
     rec.custom_data_points = []
-    rec.updated_at = datetime.utcnow()
+    rec.updated_at = datetime.now(timezone.utc)
     return rec
 
 
@@ -34,7 +34,7 @@ def make_company(tenant_id='test-tenant'):
     rec.id = uuid.uuid4()
     rec.tenant_id = tenant_id
     rec.data = {'company_name': 'Test GmbH', 'email': 'datenschutz@test.de'}
-    rec.updated_at = datetime.utcnow()
+    rec.updated_at = datetime.now(timezone.utc)
     return rec
 
 
@@ -47,7 +47,7 @@ def make_cookies(tenant_id='test-tenant'):
         {'id': 'analytics', 'name': 'Analyse', 'isRequired': False, 'defaultEnabled': False},
     ]
     rec.config = {'position': 'bottom', 'style': 'bar'}
-    rec.updated_at = datetime.utcnow()
+    rec.updated_at = datetime.now(timezone.utc)
     return rec
 
 
@@ -58,13 +58,13 @@ def make_consent(tenant_id='test-tenant', user_id='user-001', data_point_id='dp-
     rec.user_id = user_id
     rec.data_point_id = data_point_id
     rec.granted = granted
-    rec.granted_at = datetime.utcnow()
+    rec.granted_at = datetime.now(timezone.utc)
     rec.revoked_at = None
     rec.consent_version = '1.0'
     rec.source = 'website'
     rec.ip_address = None
     rec.user_agent = None
-    rec.created_at = datetime.utcnow()
+    rec.created_at = datetime.now(timezone.utc)
     return rec
 
 
@@ -263,7 +263,7 @@ class TestConsentDB:
             user_id='user-001',
             data_point_id='dp-marketing',
             granted=True,
-            granted_at=datetime.utcnow(),
+            granted_at=datetime.now(timezone.utc),
             consent_version='1.0',
             source='website',
         )
@@ -276,13 +276,13 @@ class TestConsentDB:
         consent = make_consent()
         assert consent.revoked_at is None
 
-        consent.revoked_at = datetime.utcnow()
+        consent.revoked_at = datetime.now(timezone.utc)
         assert consent.revoked_at is not None
 
     def test_cannot_revoke_already_revoked(self):
         """Should not be possible to revoke an already revoked consent."""
         consent = make_consent()
-        consent.revoked_at = datetime.utcnow()
+        consent.revoked_at = datetime.now(timezone.utc)
 
         # Simulate the guard logic from the route
         already_revoked = consent.revoked_at is not None
@@ -315,7 +315,7 @@ class TestConsentStats:
             make_consent(user_id='user-2', data_point_id='dp-1', granted=True),
         ]
         # Revoke one
-        consents[1].revoked_at = datetime.utcnow()
+        consents[1].revoked_at = datetime.now(timezone.utc)
 
         total = len(consents)
         active = sum(1 for c in consents if c.granted and not c.revoked_at)
@@ -334,7 +334,7 @@ class TestConsentStats:
             make_consent(user_id='user-2', granted=True),
             make_consent(user_id='user-3', granted=True),
         ]
-        consents[2].revoked_at = datetime.utcnow()  # user-3 revoked
+        consents[2].revoked_at = datetime.now(timezone.utc)  # user-3 revoked
 
         unique_users = len(set(c.user_id for c in consents))
         users_with_active = len(set(c.user_id for c in consents if c.granted and not c.revoked_at))
@@ -501,7 +501,7 @@ class TestConsentHistoryTracking:
         from compliance.db.einwilligungen_models import EinwilligungenConsentHistoryDB
 
         consent = make_consent()
-        consent.revoked_at = datetime.utcnow()
+        consent.revoked_at = datetime.now(timezone.utc)
         entry = EinwilligungenConsentHistoryDB(
             consent_id=consent.id,
             tenant_id=consent.tenant_id,
@@ -516,7 +516,7 @@ class TestConsentHistoryTracking:
 
         entry_id = _uuid.uuid4()
         consent_id = _uuid.uuid4()
-        now = datetime.utcnow()
+        now = datetime.now(timezone.utc)
 
         row = {
             "id": str(entry_id),