test(audit): replace null-actorId bootstrap calls with createUserForBootstrap(), increase timeouts to 10s

Removes the wait+clear cycles that existed only to drain the audit events
emitted by createUserOrUpdate(null, ...). Timeouts increased 5 → 10 s to
reduce CI flakiness under load.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/test/java/org/raddatz/familienarchiv/audit/UserManagementAuditIntegrationTest.java

@@ -45,18 +45,13 @@ class UserManagementAuditIntegrationTest {
 
     @Test
     void createAndDeleteUser_producesOrderedAuditEntries() {
-        // Create the actor (admin) user directly — bypasses audit logging so no FK issue
+        // Bootstrap actor with no audit event — clean slate guaranteed by @BeforeEach
         CreateUserRequest adminReq = new CreateUserRequest();
         adminReq.setEmail("admin@test.example.com");
         adminReq.setInitialPassword("admin-secret");
-        AppUser actor = transactionTemplate.execute(status ->
+        AppUser actor = transactionTemplate.execute(status -> userService.createUserForBootstrap(adminReq));
-                userService.createUserOrUpdate(null, adminReq));
         UUID actorId = actor.getId();
 
-        // The admin creation is logged with null actorId — clear to start with a clean slate
-        await().atMost(5, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.USER_CREATED));
-        transactionTemplate.execute(status -> { auditLogRepository.deleteAll(); return null; });
-
         // Create the target user — should emit USER_CREATED
         CreateUserRequest req = new CreateUserRequest();
         req.setEmail("audit-test@example.com");
@@ -65,7 +60,7 @@ class UserManagementAuditIntegrationTest {
             userService.createUserOrUpdate(actorId, req);
             return null;
         });
-        await().atMost(5, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.USER_CREATED));
+        await().atMost(10, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.USER_CREATED));
 
         // Delete the target user — should emit USER_DELETED
         AppUser created = userRepository.findByEmail("audit-test@example.com").orElseThrow();
@@ -73,7 +68,7 @@ class UserManagementAuditIntegrationTest {
             userService.deleteUser(actorId, created.getId());
             return null;
         });
-        await().atMost(5, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.USER_DELETED));
+        await().atMost(10, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.USER_DELETED));
 
         List<AuditLog> events = auditLogQueryService.findRecentUserManagementEvents(10);
         assertThat(events).hasSize(2);
@@ -83,27 +78,24 @@ class UserManagementAuditIntegrationTest {
 
     @Test
     void updateUserGroups_producesGroupMembershipChangedEvent() {
-        // Create groups before creating users — required for group assignment on creation
         GroupDTO groupADto = new GroupDTO(); groupADto.setName("Viewers"); groupADto.setPermissions(Set.of("READ_ALL"));
         GroupDTO groupBDto = new GroupDTO(); groupBDto.setName("Editors"); groupBDto.setPermissions(Set.of("WRITE_ALL"));
         UserGroup gA = transactionTemplate.execute(status -> userService.createGroup(groupADto));
         UserGroup gB = transactionTemplate.execute(status -> userService.createGroup(groupBDto));
 
-        // Create actor (bootstrap — null actorId, event not relevant)
+        // Bootstrap actor with no audit event — clean slate guaranteed by @BeforeEach
         CreateUserRequest actorReq = new CreateUserRequest();
         actorReq.setEmail("actor-group-test@test.example.com");
         actorReq.setInitialPassword("secret");
-        AppUser actor = transactionTemplate.execute(status -> userService.createUserOrUpdate(null, actorReq));
+        AppUser actor = transactionTemplate.execute(status -> userService.createUserForBootstrap(actorReq));
-        await().atMost(5, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.USER_CREATED));
-        transactionTemplate.execute(status -> { auditLogRepository.deleteAll(); return null; });
 
-        // Create target user pre-assigned to gA
+        // Create target user pre-assigned to gA — emits USER_CREATED
         CreateUserRequest targetReq = new CreateUserRequest();
         targetReq.setEmail("target-group-test@test.example.com");
         targetReq.setInitialPassword("secret");
         targetReq.setGroupIds(List.of(gA.getId()));
         transactionTemplate.execute(status -> userService.createUserOrUpdate(actor.getId(), targetReq));
-        await().atMost(5, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.USER_CREATED));
+        await().atMost(10, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.USER_CREATED));
         transactionTemplate.execute(status -> { auditLogRepository.deleteAll(); return null; });
 
         AppUser target = userRepository.findByEmail("target-group-test@test.example.com").orElseThrow();
@@ -113,7 +105,7 @@ class UserManagementAuditIntegrationTest {
         dto.setGroupIds(List.of(gB.getId()));
         transactionTemplate.execute(status -> userService.adminUpdateUser(actor.getId(), target.getId(), dto));
 
-        await().atMost(5, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.GROUP_MEMBERSHIP_CHANGED));
+        await().atMost(10, SECONDS).until(() -> auditLogRepository.existsByKind(AuditKind.GROUP_MEMBERSHIP_CHANGED));
 
         List<AuditLog> events = auditLogQueryService.findRecentUserManagementEvents(10);
         assertThat(events).hasSize(1);