fix: address PR review feedback — security, architecture, dead code

Fixes from PR #178 review:

Migration fixes:
- V18/V19: fix FK references from app_users to users (correct table name)
- V18: change annotation_id FK from ON DELETE CASCADE to ON DELETE RESTRICT
  (block is aggregate root, cascade flows from block, not annotation)

Backend fixes:
- TranscriptionService.deleteBlock(): remove userId param, delete block first
  then annotation directly via repository (no ownership check — block owns annotation)
- TranscriptionService.sanitizeText(): remove flawed regex HTML stripping,
  textarea content is plain text by design — just enforce max length
- TranscriptionBlockController.requireUserId(): throw DomainException.unauthorized()
  instead of silently returning null on auth failure
- CreateTranscriptionBlockDTO: add @Min/@Positive validation on coordinates
- Add @Slf4j logging to TranscriptionService for create/delete operations

Frontend fixes:
- Delete DocumentBottomPanel.svelte entirely (issue #175 requirement)
- Remove redundant mode exclusivity $effect (handled at toggle call sites)
- Remove dead handleCommentClick + onCommentClick prop (comments are future work)
- Remove quote hint UI (depends on comment feature)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/lib/components/DocumentBottomPanel.svelte

@@ -1,193 +0,0 @@
-<script lang="ts">
-import { m } from '$lib/paraglide/messages.js';
-import PanelMetadata from './PanelMetadata.svelte';
-import PanelTranscription from './PanelTranscription.svelte';
-import PanelDiscussion from './PanelDiscussion.svelte';
-import PanelHistory from './PanelHistory.svelte';
-import type { Comment, DocumentPanelTab } from '$lib/types';
-
-type Doc = {
-	id: string;
-	title?: string | null;
-	documentDate?: string | null;
-	location?: string | null;
-	documentLocation?: string | null;
-	tags?: { id: string; name: string }[] | null;
-	sender?: { id: string; firstName: string; lastName: string; alias?: string | null } | null;
-	receivers?: { id: string; firstName: string; lastName: string }[] | null;
-	summary?: string | null;
-	transcription?: string | null;
-};
-
-type Props = {
-	doc: Doc;
-	comments: Comment[];
-	canComment: boolean;
-	currentUserId: string | null;
-	canAdmin: boolean;
-	open: boolean;
-	height: number;
-	activeTab: DocumentPanelTab;
-	targetCommentId?: string | null;
-};
-
-let {
-	doc,
-	comments,
-	canComment,
-	currentUserId,
-	canAdmin,
-	open = $bindable(),
-	height = $bindable(),
-	activeTab = $bindable(),
-	targetCommentId = null
-}: Props = $props();
-
-const MIN_HEIGHT = 52; // drag handle (8px) + tab bar (~44px)
-
-let isDragging = $state(false);
-let dragStartY = 0;
-let dragStartHeight = 0;
-
-function fullHeight() {
-	const topbar = document.querySelector('[data-topbar]');
-	return window.innerHeight - (topbar?.getBoundingClientRect().bottom ?? 0);
-}
-
-function openTab(tab: DocumentPanelTab) {
-	activeTab = tab;
-	if (!open) {
-		open = true;
-		if (height <= MIN_HEIGHT) height = fullHeight();
-	}
-}
-
-function closePanel() {
-	open = false;
-}
-
-function onDragStart(e: PointerEvent) {
-	isDragging = true;
-	dragStartY = e.clientY;
-	dragStartHeight = open ? height : MIN_HEIGHT;
-	(e.currentTarget as HTMLElement).setPointerCapture(e.pointerId);
-}
-
-function onDragMove(e: PointerEvent) {
-	if (!isDragging) return;
-	const delta = dragStartY - e.clientY; // positive = dragging up = bigger panel
-	const newHeight = dragStartHeight + delta;
-	const maxHeight = fullHeight();
-
-	if (newHeight <= MIN_HEIGHT + 20) {
-		// collapsed past threshold → close
-		open = false;
-	} else {
-		open = true;
-		height = Math.max(80, Math.min(newHeight, maxHeight));
-	}
-}
-
-function onDragEnd() {
-	isDragging = false;
-}
-
-const tabs: { id: DocumentPanelTab; label: () => string }[] = [
-	{ id: 'metadata', label: m.doc_panel_tab_metadata },
-	{ id: 'transcription', label: m.doc_panel_tab_transcription },
-	{ id: 'discussion', label: m.doc_panel_tab_discussion },
-	{ id: 'history', label: m.doc_panel_tab_history }
-];
-
-const panelHeight = $derived(open ? height : MIN_HEIGHT);
-
-let discussionCount = $state((() => comments.reduce((s, c) => s + 1 + c.replies.length, 0))());
-
-function handleCountChange(count: number) {
-	discussionCount = count;
-}
-</script>
-
-<div
-	class="z-30 flex shrink-0 flex-col border-t border-line bg-surface shadow-[0_-4px_16px_rgba(0,0,0,0.08)]"
-	style="height: {panelHeight}px"
-	data-testid="bottom-panel"
->
-	<!-- Drag handle -->
-	<div
-		class="flex h-2 shrink-0 cursor-ns-resize items-center justify-center bg-surface"
-		style="touch-action: none"
-		role="separator"
-		aria-orientation="horizontal"
-		aria-label="Panel resize"
-		onpointerdown={onDragStart}
-		onpointermove={onDragMove}
-		onpointerup={onDragEnd}
-		onpointercancel={onDragEnd}
-	>
-		<div class="h-1 w-12 rounded-full bg-line"></div>
-	</div>
-
-	<!-- Tab bar -->
-	<div class="flex shrink-0 items-center border-b border-line bg-surface">
-		<!-- Scrollable tabs area — hides scrollbar visually -->
-		<div
-			class="flex flex-1 items-center overflow-x-auto px-2 [scrollbar-width:none] [&::-webkit-scrollbar]:hidden"
-		>
-			{#each tabs as tab (tab.id)}
-				<button
-					onclick={() => openTab(tab.id)}
-					class="mr-1 shrink-0 px-3 py-2.5 font-sans text-xs font-medium transition-colors {activeTab === tab.id && open
-						? 'border-b-2 border-primary text-ink'
-						: 'text-ink-3 hover:text-ink'}"
-					aria-pressed={activeTab === tab.id && open}
-				>
-					{tab.label()}
-					{#if tab.id === 'discussion'}
-						<span
-							data-testid="discussion-count-badge"
-							class="ml-1.5 inline-flex h-4 min-w-4 items-center justify-center rounded-full bg-primary px-1 font-sans text-[10px] font-bold text-primary-fg"
-							>{discussionCount}</span
-						>
-					{/if}
-				</button>
-			{/each}
-		</div>
-
-		{#if open}
-			<button
-				onclick={closePanel}
-				data-testid="panel-close-btn"
-				aria-label="Panel schließen"
-				class="mr-2 shrink-0 rounded p-1.5 text-ink-3 transition-colors hover:bg-muted hover:text-ink"
-			>
-				<svg class="h-4 w-4" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
-					<path stroke-linecap="round" stroke-linejoin="round" d="M6 18L18 6M6 6l12 12" />
-				</svg>
-			</button>
-		{/if}
-	</div>
-
-	<!-- Tab content -->
-	{#if open}
-		<div class="flex-1 overflow-y-auto" data-testid="bottom-panel-content">
-			{#if activeTab === 'metadata'}
-				<PanelMetadata doc={doc} />
-			{:else if activeTab === 'transcription'}
-				<PanelTranscription doc={doc} />
-			{:else if activeTab === 'discussion'}
-				<PanelDiscussion
-					documentId={doc.id}
-					initialComments={comments}
-					canComment={canComment}
-					currentUserId={currentUserId}
-					canAdmin={canAdmin}
-					targetCommentId={targetCommentId}
-					onCountChange={handleCountChange}
-				/>
-			{:else if activeTab === 'history'}
-				<PanelHistory documentId={doc.id} />
-			{/if}
-		</div>
-	{/if}
-</div>

frontend/src/lib/components/TranscriptionBlock.svelte

@@ -12,7 +12,6 @@ type Props = {
 	saveState: SaveState;
 	onTextChange: (text: string) => void;
 	onFocus: () => void;
-	onCommentClick: () => void;
 	onDeleteClick: () => void;
 	onRetry: () => void;
 };
@@ -26,7 +25,6 @@ let {
 	saveState,
 	onTextChange,
 	onFocus,
-	onCommentClick,
 	onDeleteClick,
 	onRetry
 }: Props = $props();
@@ -91,22 +89,7 @@ function handleDelete() {
 		></textarea>
 
 		<!-- Footer -->
-		<div class="flex items-center justify-between border-t border-line pt-2">
-			<div class="flex flex-col gap-1">
-				<button
-					type="button"
-					class="text-xs font-medium text-ink-2 transition-colors hover:text-ink"
-					onclick={onCommentClick}
-				>
-					{m.transcription_block_comment_btn()}
-				</button>
-				{#if active}
-					<span class="text-xs text-ink-3">
-						{m.transcription_block_quote_hint()}
-					</span>
-				{/if}
-			</div>
-
+		<div class="flex items-center justify-end border-t border-line pt-2">
 			<div class="flex items-center gap-2">
 				<!-- Save state indicator -->
 				{#if saveState === 'saving'}

frontend/src/lib/components/TranscriptionEditView.svelte

@@ -119,10 +119,6 @@ function handleDelete(blockId: string) {
 	onDeleteBlock(blockId);
 }
 
-function handleCommentClick() {
-	// Placeholder for future comment functionality
-}
-
 $effect(() => {
 	function onBeforeUnload() {
 		flushAllPending();
@@ -153,7 +149,6 @@ $effect(() => {
 						saveState={getSaveState(block.id)}
 						onTextChange={(text) => handleTextChange(block.id, text)}
 						onFocus={() => handleFocus(block.id)}
-						onCommentClick={handleCommentClick}
 						onDeleteClick={() => handleDelete(block.id)}
 						onRetry={() => handleRetry(block.id)}
 					/>

frontend/src/routes/documents/[id]/+page.svelte

@@ -63,13 +63,6 @@ let transcribeMode = $state(false);
 let activeAnnotationId = $state<string | null>(null);
 let activeAnnotationPage = $state<number | null>(null);
 
-// Mode exclusivity: entering one mode exits the other
-$effect(() => {
-	if (annotateMode && transcribeMode) {
-		transcribeMode = false;
-	}
-});
-
 // ── Transcription blocks ─────────────────────────────────────────────────────
 
 type TranscriptionBlockData = {