feat(audit): add audit_log infrastructure and instrument AnnotationService

- V46 migration: audit_log table with indexes and append-only REVOKE
- audit/ package: AuditKind enum (with Javadoc payloads), AuditLog entity,
  AuditLogRepository, AuditService (@Async on dedicated auditExecutor)
- AsyncConfig: auditExecutor with CallerRunsPolicy and queueCapacity 50
- AnnotationService: ANNOTATION_CREATED on createAnnotation() only,
  deferred via afterCommit() when inside a transaction

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/audit/AuditKind.java

@@ -0,0 +1,22 @@
+package org.raddatz.familienarchiv.audit;
+
+public enum AuditKind {
+
+    /** Payload: none */
+    FILE_UPLOADED,
+
+    /** Payload: {@code {"oldStatus": "UPLOADED", "newStatus": "TRANSCRIBED"}} */
+    STATUS_CHANGED,
+
+    /** Payload: none */
+    METADATA_UPDATED,
+
+    /** Payload: {@code {"pageNumber": 3}} */
+    TEXT_SAVED,
+
+    /** Payload: none */
+    BLOCK_REVIEWED,
+
+    /** Payload: {@code {"pageNumber": 3}} */
+    ANNOTATION_CREATED,
+}

backend/src/main/java/org/raddatz/familienarchiv/audit/AuditLog.java

@@ -0,0 +1,46 @@
+package org.raddatz.familienarchiv.audit;
+
+import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.persistence.*;
+import lombok.*;
+import org.hibernate.annotations.CreationTimestamp;
+import org.hibernate.annotations.JdbcTypeCode;
+import org.hibernate.type.SqlTypes;
+
+import java.time.OffsetDateTime;
+import java.util.Map;
+import java.util.UUID;
+
+@Entity
+@Table(name = "audit_log")
+@Data
+@NoArgsConstructor
+@AllArgsConstructor
+@Builder
+public class AuditLog {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.UUID)
+    @Schema(requiredMode = Schema.RequiredMode.REQUIRED)
+    private UUID id;
+
+    @Column(name = "happened_at", nullable = false, updatable = false)
+    @CreationTimestamp
+    @Schema(requiredMode = Schema.RequiredMode.REQUIRED)
+    private OffsetDateTime happenedAt;
+
+    @Column(name = "actor_id")
+    private UUID actorId;
+
+    @Enumerated(EnumType.STRING)
+    @Column(name = "kind", nullable = false)
+    @Schema(requiredMode = Schema.RequiredMode.REQUIRED)
+    private AuditKind kind;
+
+    @Column(name = "document_id")
+    private UUID documentId;
+
+    @JdbcTypeCode(SqlTypes.JSON)
+    @Column(columnDefinition = "jsonb")
+    private Map<String, Object> payload;
+}

backend/src/main/java/org/raddatz/familienarchiv/audit/AuditLogRepository.java

@@ -0,0 +1,8 @@
+package org.raddatz.familienarchiv.audit;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+
+import java.util.UUID;
+
+public interface AuditLogRepository extends JpaRepository<AuditLog, UUID> {
+}

backend/src/main/java/org/raddatz/familienarchiv/audit/AuditService.java

@@ -0,0 +1,31 @@
+package org.raddatz.familienarchiv.audit;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.scheduling.annotation.Async;
+import org.springframework.stereotype.Service;
+
+import java.util.Map;
+import java.util.UUID;
+
+@Service
+@RequiredArgsConstructor
+@Slf4j
+public class AuditService {
+
+    private final AuditLogRepository auditLogRepository;
+
+    @Async("auditExecutor")
+    public void log(AuditKind kind, UUID actorId, UUID documentId, Map<String, Object> payload) {
+        try {
+            auditLogRepository.save(AuditLog.builder()
+                    .kind(kind)
+                    .actorId(actorId)
+                    .documentId(documentId)
+                    .payload(payload)
+                    .build());
+        } catch (Exception e) {
+            log.error("Audit log write failed: kind={}, document={}", kind, documentId, e);
+        }
+    }
+}

backend/src/main/java/org/raddatz/familienarchiv/config/AsyncConfig.java

@@ -23,4 +23,15 @@ public class AsyncConfig {
         executor.setRejectedExecutionHandler(new ThreadPoolExecutor.AbortPolicy());
         return executor;
     }
+
+    @Bean("auditExecutor")
+    public Executor auditExecutor() {
+        ThreadPoolTaskExecutor executor = new ThreadPoolTaskExecutor();
+        executor.setCorePoolSize(1);
+        executor.setMaxPoolSize(2);
+        executor.setQueueCapacity(50);
+        executor.setThreadNamePrefix("Audit-");
+        executor.setRejectedExecutionHandler(new ThreadPoolExecutor.CallerRunsPolicy());
+        return executor;
+    }
 }

backend/src/main/java/org/raddatz/familienarchiv/service/AnnotationService.java

@@ -2,6 +2,8 @@ package org.raddatz.familienarchiv.service;
 
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.raddatz.familienarchiv.audit.AuditKind;
+import org.raddatz.familienarchiv.audit.AuditService;
 import org.raddatz.familienarchiv.dto.CreateAnnotationDTO;
 import org.raddatz.familienarchiv.dto.UpdateAnnotationDTO;
 import org.raddatz.familienarchiv.exception.DomainException;
@@ -12,8 +14,11 @@ import org.raddatz.familienarchiv.repository.TranscriptionBlockRepository;
 import org.springframework.dao.DataIntegrityViolationException;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
+import org.springframework.transaction.support.TransactionSynchronization;
+import org.springframework.transaction.support.TransactionSynchronizationManager;
 
 import java.util.List;
+import java.util.Map;
 import java.util.UUID;
 
 @Slf4j
@@ -23,6 +28,7 @@ public class AnnotationService {
 
     private final AnnotationRepository annotationRepository;
     private final TranscriptionBlockRepository blockRepository;
+    private final AuditService auditService;
 
     public List<DocumentAnnotation> listAnnotations(UUID documentId) {
         return annotationRepository.findByDocumentId(documentId);
@@ -42,7 +48,10 @@ public class AnnotationService {
                 .createdBy(userId)
                 .build();
 
-        return annotationRepository.save(annotation);
+        DocumentAnnotation saved = annotationRepository.save(annotation);
+        logAfterCommit(AuditKind.ANNOTATION_CREATED, userId, saved.getDocumentId(),
+                Map.of("pageNumber", saved.getPageNumber()));
+        return saved;
     }
 
     @Transactional
@@ -108,4 +117,17 @@ public class AnnotationService {
         });
     }
 
+    private void logAfterCommit(AuditKind kind, UUID actorId, UUID documentId, Map<String, Object> payload) {
+        if (TransactionSynchronizationManager.isActualTransactionActive()) {
+            TransactionSynchronizationManager.registerSynchronization(new TransactionSynchronization() {
+                @Override
+                public void afterCommit() {
+                    auditService.log(kind, actorId, documentId, payload);
+                }
+            });
+        } else {
+            auditService.log(kind, actorId, documentId, payload);
+        }
+    }
+
 }

backend/src/main/resources/db/migration/V46__add_audit_log.sql

@@ -0,0 +1,22 @@
+-- Append-only audit trail for domain-level archive activity.
+-- Enables dashboard queries (Family Pulse, activity feed, resume card) in #271.
+
+CREATE TABLE audit_log (
+    id          UUID        PRIMARY KEY DEFAULT gen_random_uuid(),
+    happened_at TIMESTAMPTZ NOT NULL    DEFAULT now(),
+    -- ON DELETE SET NULL is by design: GDPR right-to-erasure. Deleted users' events
+    -- retain their timestamp and kind but lose actor attribution.
+    actor_id    UUID        REFERENCES app_users(id) ON DELETE SET NULL,
+    kind        VARCHAR(50) NOT NULL,
+    document_id UUID        REFERENCES documents(id) ON DELETE CASCADE,
+    payload     JSONB
+);
+
+CREATE INDEX idx_audit_log_happened_at ON audit_log (happened_at DESC);
+CREATE INDEX idx_audit_log_document_id ON audit_log (document_id);
+CREATE INDEX idx_audit_log_actor_id    ON audit_log (actor_id);
+CREATE INDEX idx_audit_log_kind        ON audit_log (kind);
+
+-- Enforce append-only at the database layer: the application role may INSERT
+-- but must not UPDATE or DELETE audit rows.
+REVOKE UPDATE, DELETE ON audit_log FROM app_user;