fix(#71,#73): remove class-level permission gate and add annotationId to notifications

- Remove @RequirePermission(READ_ALL) from NotificationController class level so
  authenticated users with any permission (or none) can access their own notifications
- Add V19 migration, annotationId field to Notification entity and NotificationDTO
- NotificationService now stores annotationId from comment on both REPLY and MENTION
- Update controller tests: permission tests now expect 200, DTO constructor includes annotationId

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/resources/db/migration/V19__add_annotation_id_to_notifications.sql

@@ -0,0 +1 @@
+ALTER TABLE notifications ADD COLUMN annotation_id UUID;