diff --git a/CLAUDE.md b/CLAUDE.md
index d0b67fe4..234f4cc6 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -64,16 +64,28 @@ npm run generate:api  # Regenerate TypeScript API types from OpenAPI spec
 
 ### Package Structure
 
+Package-by-domain: each domain owns its controller, service, repository, entities, and DTOs.
+
 ```
 backend/src/main/java/org/raddatz/familienarchiv/
-├── controller/     REST endpoints — thin, delegate everything to services
-├── service/        Business logic — the only place that touches repositories
-├── repository/     Spring Data JPA interfaces
-├── model/          JPA entities
-├── dto/            Input objects (request bodies/form data)
-├── exception/      DomainException + ErrorCode enum
-├── security/       SecurityConfig, Permission enum, @RequirePermission, PermissionAspect
-└── config/         MinioConfig, AsyncConfig
+├── audit/               Audit logging
+├── config/              Infrastructure config (Minio, Async, Web)
+├── dashboard/           Dashboard analytics + StatsController/StatsService
+├── document/            Document domain (entities, controller, service, repository, DTOs)
+│   ├── annotation/      DocumentAnnotation, AnnotationService, AnnotationController
+│   ├── comment/         DocumentComment, CommentService, CommentController
+│   └── transcription/   TranscriptionBlock, TranscriptionService, TranscriptionBlockQueryService
+├── exception/           DomainException, ErrorCode, GlobalExceptionHandler
+├── filestorage/         FileService (S3/MinIO)
+├── geschichte/          Geschichte (story) domain
+├── importing/           MassImportService, ExcelService
+├── notification/        Notification domain + SseEmitterRegistry
+├── ocr/                 OCR domain — OcrService, OcrBatchService, training
+├── person/              Person domain
+│   └── relationship/    PersonRelationship sub-domain
+├── security/            SecurityConfig, Permission, @RequirePermission, PermissionAspect
+├── tag/                 Tag domain
+└── user/                User domain — AppUser, UserGroup, UserService, auth controllers
 ```
 
 ### Layering Rules (strictly enforced)
diff --git a/backend/CLAUDE.md b/backend/CLAUDE.md
index 702b6c94..133287d5 100644
--- a/backend/CLAUDE.md
+++ b/backend/CLAUDE.md
@@ -19,18 +19,28 @@ Spring Boot 4.0 monolith serving the Familienarchiv REST API. Handles document m
 
 ## Package Structure
 
+Package-by-domain: each domain owns its controller, service, repository, entities, and DTOs.
+
 ```
 src/main/java/org/raddatz/familienarchiv/
-├── audit/          # Audit logging infrastructure
-├── config/         # MinioConfig, AsyncConfig, RateLimitInterceptor
-├── controller/     # REST endpoints — thin, delegate to services
-├── dashboard/      # Dashboard analytics queries and endpoints
-├── dto/            # Input/request DTOs (e.g., DocumentUpdateDTO, GroupDTO)
-├── exception/      # DomainException + ErrorCode enum
-├── model/          # JPA entities (Document, Person, Tag, AppUser, etc.)
-├── repository/     # Spring Data JPA interfaces + Specifications
-├── security/       # SecurityConfig, Permission enum, @RequirePermission, PermissionAspect
-└── service/        # Business logic — the only place that touches repositories
+├── audit/               # Audit logging (AuditService, AuditLogQueryService)
+├── config/              # Infrastructure config (MinioConfig, AsyncConfig, WebConfig)
+├── dashboard/           # Dashboard analytics + StatsController/StatsService
+├── document/            # Document domain — entities, controller, service, repository, DTOs
+│   ├── annotation/      # DocumentAnnotation, AnnotationService, AnnotationController
+│   ├── comment/         # DocumentComment, CommentService, CommentController
+│   └── transcription/   # TranscriptionBlock, TranscriptionService, TranscriptionBlockQueryService
+├── exception/           # DomainException, ErrorCode, GlobalExceptionHandler
+├── filestorage/         # FileService (S3/MinIO)
+├── geschichte/          # Geschichte (story) domain
+├── importing/           # MassImportService, ExcelService
+├── notification/        # Notification domain + SseEmitterRegistry
+├── ocr/                 # OCR domain — OcrService, OcrBatchService, training
+├── person/              # Person domain — Person, PersonService, PersonController
+│   └── relationship/    # PersonRelationship sub-domain
+├── security/            # SecurityConfig, Permission, @RequirePermission, PermissionAspect
+├── tag/                 # Tag domain — Tag, TagService, TagController
+└── user/                # User domain — AppUser, UserGroup, UserService, auth controllers
 ```
 
 ## Layering Rules (Strict)