docs(journey): annotate note field as unsanitized plain text in JourneyItem and JourneyItemView

Add Javadoc to the note field warning renderers not to use @html or equivalent
unsafe output — the value is stored verbatim without sanitization.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/geschichte/journeyitem/JourneyItem.java

@@ -38,8 +38,11 @@ public class JourneyItem {
     @JsonIgnore
     private Document document;
 
-    // CWE-79 tripwire: plain text — store verbatim, no sanitization. Any HTML/feed/PDF/email
-    // renderer MUST escape this; only Svelte {note} is auto-safe.
+    /**
+     * Plain text — not HTML-sanitized. Renderers MUST NOT use {@code @html} or equivalent unsafe output.
+     *
+     * <p>CWE-79 tripwire: stored verbatim; only Svelte {note} interpolation is auto-safe.</p>
+     */
     @Column(columnDefinition = "TEXT")
     private String note;
 

backend/src/main/java/org/raddatz/familienarchiv/geschichte/journeyitem/JourneyItemView.java

@@ -12,5 +12,6 @@ public record JourneyItemView(
         @Schema(requiredMode = Schema.RequiredMode.REQUIRED) UUID id,
         @Schema(requiredMode = Schema.RequiredMode.REQUIRED) int position,
         DocumentSummary document,
+        /** Plain text — not HTML-sanitized. Renderers MUST NOT use {@code @html} or equivalent unsafe output. */
         String note
 ) {}