docs: tenant isolation audit + fix forecasting cross-tenant access (#2121)

* docs: tenant isolation audit + fix forecasting cross-tenant access

Audit of all services for three categories of tenant isolation gaps:
direct DB connections bypassing TenantGuard, optional tenant routes,
and TenantGuardBypass usage outside infrastructure operations.

Audit report: docs/audits/tenant-isolation-audit-2026-04-04.md

Bug fix: forecasting ComputeForwardCurve fetched strategies by UUID
without verifying ownership. Any authenticated tenant could execute
another tenant's strategy by UUID. Handler now checks
strategy.TenantID() matches the context tenant before proceeding,
returning NotFound to avoid leaking strategy existence.

Test: TestComputeForwardCurve_CrossTenantAccess_ReturnsNotFound

* fix: extract loadAuthorizedStrategy to keep ComputeForwardCurve under 60 lines

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs