fix(security): cap PersonController size param at 50 to prevent resource exhaustion

Addresses @Nora review: ?sort=documentCount&size=999999 could trigger a
full-table query and large serialization. Cap enforced at controller boundary.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/person/PersonController.java

@@ -40,7 +40,8 @@ public class PersonController {
             @RequestParam(required = false, defaultValue = "0") int size,
             @RequestParam(required = false) String sort) {
         if ("documentCount".equals(sort) && size > 0 && q == null) {
-            return ResponseEntity.ok(personService.findTopByDocumentCount(size));
+            int safeSize = Math.min(size, 50);
+            return ResponseEntity.ok(personService.findTopByDocumentCount(safeSize));
         }
         return ResponseEntity.ok(personService.findAll(q));
     }

backend/src/test/java/org/raddatz/familienarchiv/person/PersonControllerTest.java

@@ -92,6 +92,18 @@ class PersonControllerTest {
                 .andExpect(jsonPath("$[0].firstName").value("Käthe"));
     }
 
+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void getPersons_capsTopByDocumentCount_atFifty() throws Exception {
+        ArgumentCaptor<Integer> sizeCaptor = ArgumentCaptor.forClass(Integer.class);
+        when(personService.findTopByDocumentCount(sizeCaptor.capture())).thenReturn(Collections.emptyList());
+
+        mockMvc.perform(get("/api/persons").param("sort", "documentCount").param("size", "999"))
+                .andExpect(status().isOk());
+
+        assertThat(sizeCaptor.getValue()).isEqualTo(50);
+    }
+
     private PersonSummaryDTO mockPersonSummary(String firstName, String lastName) {
         return new PersonSummaryDTO() {
             public java.util.UUID getId() { return UUID.randomUUID(); }