feat(api): add GET/POST/DELETE /api/persons/{id}/aliases endpoints

GET returns aliases (no permission required), POST requires
WRITE_ALL, DELETE requires WRITE_ALL. 5 new controller tests.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/controller/PersonController.java

@@ -5,10 +5,12 @@ import java.util.Map;
 import java.util.UUID;
 
 
+import org.raddatz.familienarchiv.dto.PersonNameAliasDTO;
 import org.raddatz.familienarchiv.dto.PersonSummaryDTO;
 import org.raddatz.familienarchiv.dto.PersonUpdateDTO;
 import org.raddatz.familienarchiv.model.Document;
 import org.raddatz.familienarchiv.model.Person;
+import org.raddatz.familienarchiv.model.PersonNameAlias;
 import org.raddatz.familienarchiv.security.Permission;
 import org.raddatz.familienarchiv.security.RequirePermission;
 import org.raddatz.familienarchiv.service.DocumentService;
@@ -92,4 +94,24 @@ public class PersonController {
         }
         personService.mergePersons(id, UUID.fromString(targetIdStr));
     }
+
+    // ─── Alias endpoints ────────────────────────────────────────────────────
+
+    @GetMapping("/{id}/aliases")
+    public List<PersonNameAlias> getAliases(@PathVariable UUID id) {
+        return personService.getAliases(id);
+    }
+
+    @PostMapping("/{id}/aliases")
+    @RequirePermission(Permission.WRITE_ALL)
+    public PersonNameAlias addAlias(@PathVariable UUID id, @RequestBody PersonNameAliasDTO dto) {
+        return personService.addAlias(id, dto);
+    }
+
+    @DeleteMapping("/{id}/aliases/{aliasId}")
+    @ResponseStatus(HttpStatus.NO_CONTENT)
+    @RequirePermission(Permission.WRITE_ALL)
+    public void removeAlias(@PathVariable UUID id, @PathVariable UUID aliasId) {
+        personService.removeAlias(id, aliasId);
+    }
 }