docs(stammbaum): document intentional auth design on RelationshipController GET endpoints

Addresses @markus/@nora suggestion: makes explicit that the missing
@RequirePermission on read endpoints is intentional — all authenticated
family members may read the family graph; unauthenticated access is still
blocked by Spring Security's anyRequest().authenticated() rule.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java

@@ -34,6 +34,9 @@ public class RelationshipController {
 
     private final RelationshipService relationshipService;
 
+    // READ endpoints carry no @RequirePermission: all authenticated users may read the family graph.
+    // Unauthenticated requests are rejected by Spring Security's anyRequest().authenticated() rule.
+
     @GetMapping("/api/network")
     public NetworkDTO getNetwork() {
         return relationshipService.getFamilyNetwork();