Add targeted comments for non-obvious constraints and invariants

- logger.py: note why log path uses abspath(__file__) instead of a relative path
- token.py: note why [7:] slice is safe (startswith already verified)
- ipcalc.py: explain /32 single-host and /31 RFC-3021 point-to-point special
  cases; explain why (~netmask) must be masked with 0xFFFFFFFF (Python ~int
  returns a negative arbitrary-precision value, not a 32-bit unsigned integer)
- notes.py: document the module-level _table_ready flag lifetime; explain why
  tzinfo is stripped before passing datetime to mysql-connector
- admin.py: document the module-level _tables_initialized flag lifetime

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/tools/notes.py

@@ -6,6 +6,8 @@ from auth.token import verify_token
 
 notes_blueprint = Blueprint('notes_tool', __name__)
 
+# Module-level flag: DDL runs at most once per process lifetime.
+# Resets automatically on worker restart, which re-triggers the check.
 _table_ready = False
 
 
@@ -106,6 +108,8 @@ def update_note(note_id):
         title = data.get("title", "").strip() or "Neue Notiz"
         content = data.get("content", "")
         language = data.get("language", "text")
+        # mysql-connector expects a naive datetime for DATETIME columns;
+        # strip tzinfo after converting to UTC to avoid driver warnings.
         now = datetime.now(timezone.utc).replace(tzinfo=None)
 
         conn = get_connection()