feat(security): add BLOG_WRITE permission and GESCHICHTE_NOT_FOUND error code

Foundation for the Geschichten (story) domain (issue #381). BLOG_WRITE gates
authoring of family memory stories; GESCHICHTE_NOT_FOUND is also returned for
DRAFTs requested by users without BLOG_WRITE so existence is not leaked.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/exception/ErrorCode.java

@@ -103,6 +103,10 @@ public enum ErrorCode {
     /** A relationship with the same (person, relatedPerson, type) already exists. 409 */
     DUPLICATE_RELATIONSHIP,
 
+    // --- Geschichten (Stories) ---
+    /** A Geschichte (story) with the given ID does not exist, or is a DRAFT and the caller lacks BLOG_WRITE. 404 */
+    GESCHICHTE_NOT_FOUND,
+
     // --- Tags ---
     /** A tag with the given ID does not exist. 404 */
     TAG_NOT_FOUND,

backend/src/main/java/org/raddatz/familienarchiv/security/Permission.java

@@ -4,6 +4,7 @@ public enum Permission {
     READ_ALL,
     WRITE_ALL,
     ANNOTATE_ALL,
+    BLOG_WRITE,
     ADMIN,
     ADMIN_USER,
     ADMIN_TAG,