feat: Anti-Fake-Evidence System (Phase 1-4b)

Implement full evidence integrity pipeline to prevent compliance theater:
- Confidence levels (E0-E4), truth status tracking, assertion engine
- Four-Eyes approval workflow, audit trail, reject endpoint
- Evidence distribution dashboard, LLM audit routes
- Traceability matrix (backend endpoint + Compliance Hub UI tab)
- Anti-fake badges, control status machine, normative patterns
- 2 migrations, 4 test suites, MkDocs documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend-compliance/tests/test_control_routes.py

@@ -61,6 +61,7 @@ def make_control(overrides=None):
     c.status = MagicMock()
     c.status.value = "planned"
     c.status_notes = None
+    c.status_justification = None
     c.last_reviewed_at = None
     c.next_review_at = None
     c.created_at = NOW
@@ -249,15 +250,15 @@ class TestUpdateControl:
         assert response.status_code == 404
 
     def test_update_status_with_valid_enum(self):
-        """Status must be a valid ControlStatusEnum value."""
+        """Status must be a valid ControlStatusEnum value (planned → in_progress is always allowed)."""
         updated = make_control()
-        updated.status.value = "pass"
+        updated.status.value = "in_progress"
         with patch("compliance.api.routes.ControlRepository") as MockRepo:
             MockRepo.return_value.get_by_control_id.return_value = make_control()
             MockRepo.return_value.update.return_value = updated
             response = client.put(
                 "/compliance/controls/GOV-001",
-                json={"status": "pass"},
+                json={"status": "in_progress"},
             )
         assert response.status_code == 200