Add NL-query backend (W2): local translator + safe named-query runner

Read-only "ask the database in plain English" backend. Translation runs on
the local Qwen via Spark Control (question -> {intent, slots}); nothing leaves
the box, no Claude and no redaction boundary (the simplification chosen after
pressure-testing). The safe surface is a curated catalog of ~12 hand-written
parameterized queries; a slot validator is the trust boundary (no generic SQL,
no dynamic identifiers). POST /api/query/nl + GET /api/query/catalog, gated
require_bot_or_admin, read-only, audited. Soft-delete-correct per table.
Local Qwen translated 12/12 real example questions correctly against the live
Spark. Web "Ask" box and Matrix bot still to come (steps 4-5).

backend/nl_query/__init__.py

@@ -0,0 +1,9 @@
+"""nl_query — the safe, read-only natural-language query surface (W2).
+
+The LLM's job (added later) is only to map a question to a {intent, slots} pair; everything
+that touches the database lives here behind a strict validator and a fixed, hand-written,
+parameterized query catalog. See runner.py (the trust boundary) and intents.py (the catalog).
+"""
+from .runner import run_query, validate, catalog  # noqa: F401
+from .intents import INTENTS  # noqa: F401
+from .translate import translate, answer, build_system  # noqa: F401