fix(obs): wire Prometheus endpoint for Spring Boot 4.0

Four Spring Boot 4.0-specific issues prevented /actuator/prometheus from working:

1. spring-boot-starter-micrometer-metrics missing — Spring Boot 4.0 splits
   Micrometer metrics export (including the Prometheus scrape endpoint) out of
   spring-boot-starter-actuator into its own starter. Added dependency.

2. management.prometheus.metrics.export.enabled not set — Spring Boot 4.0
   defaults metrics export to false (opt-in). Added the property to
   application.yaml.

3. SecurityConfig did not permit /actuator/prometheus — Spring Boot 4.0
   with Jetty serves the management port (8081) via the same security filter
   chain as the main port (8080). The previous commit's exclusion of
   ManagementWebSecurityAutoConfiguration was a no-op (that class no longer
   exists in Spring Boot 4.0); removed it and added the correct permitAll()
   rule. Updated the architecture comment in application.yaml to reflect the
   true filter-chain behaviour.

4. Reverted invalid FamilienarchivApplication.java change from the prior
   commit (ManagementWebSecurityAutoConfiguration import compiled against a
   class that does not exist in the Spring Boot 4.0 BOM).

Also adds ActuatorPrometheusIT — an integration test that asserts the
/actuator/prometheus endpoint returns 200 with jvm_memory_used_bytes without
credentials, serving as regression protection against future Spring Boot
upgrades silently breaking metrics collection.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/FamilienarchivApplication.java

@@ -1,11 +1,9 @@
 package org.raddatz.familienarchiv;
 
 import org.springframework.boot.SpringApplication;
-import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 
-// Excluded: management port (8081) is network-isolated inside archiv-net; no app-level auth needed.
-@SpringBootApplication(exclude = {ManagementWebSecurityAutoConfiguration.class})
+@SpringBootApplication
 public class FamilienarchivApplication {
 
 	public static void main(String[] args) {

backend/src/main/java/org/raddatz/familienarchiv/security/SecurityConfig.java

@@ -54,8 +54,14 @@ public class SecurityConfig {
                 .csrf(csrf -> csrf.disable())
 
                 .authorizeHttpRequests(auth -> {
-                    // Health endpoint must be open so CI/Docker health checks work without credentials
-                    auth.requestMatchers("/actuator/health").permitAll();
+                    // Both /actuator/health and /actuator/prometheus must be open.
+                    // In Spring Boot 4.0 the management server (port 8081) shares the security filter chain;
+                    // network isolation (port 8081 not published in docker-compose) is the security boundary.
+                    // Health and Prometheus must be open — no credentials for Docker health checks or Prometheus scraping.
+                    // Note: in Spring Boot 4.0 the management port shares the security filter chain,
+                    // so these paths must be explicitly permitted here even though they are served on port 8081.
+                    // Network isolation (port 8081 not published in docker-compose) is the outer security boundary.
+                    auth.requestMatchers("/actuator/health", "/actuator/prometheus").permitAll();
                     // Password reset endpoints are unauthenticated by nature
                     auth.requestMatchers("/api/auth/forgot-password", "/api/auth/reset-password").permitAll();
                     // Invite-based registration endpoints are public