devops(observability): fix C4 diagram, security comment, and add Loki compactor block

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docker-compose.observability.yml

@@ -100,10 +100,7 @@ services:
     volumes:
       - ./infra/observability/promtail/promtail-config.yml:/etc/promtail/promtail-config.yml:ro
       - /var/lib/docker/containers:/var/lib/docker/containers:ro
-      # /var/run/docker.sock gives Promtail container-name discovery. Trade-off: any
-      # process that can write to this socket can control the Docker daemon (container
-      # escape). Acceptable on a single-operator archive; review if multi-user access
-      # to the host is ever introduced.
+      # :ro restricts file-system access but NOT Docker API permissions — a compromised Promtail has full daemon access. Accepted risk on single-operator self-hosted archive.
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - promtail_positions:/tmp  # persists positions.yaml across restarts — avoids duplicate log ingestion
     command: -config.file=/etc/promtail/promtail-config.yml

docs/architecture/c4/l2-containers.puml

@@ -19,7 +19,8 @@ System_Boundary(archiv, "Familienarchiv (Docker Compose)") {
 
 System_Boundary(observability, "Observability Stack (docker-compose.observability.yml / archiv-net)") {
     Container(prometheus, "Prometheus", "prom/prometheus", "Scrapes metrics from backend management port 8081 (/actuator/prometheus). Retention and alert rules TBD — see issue #581.")
-    Container(loki, "Loki", "grafana/loki", "Log aggregation. Receives structured logs from the stack. Wiring TBD — see issue #581.")
+    Container(loki, "Loki", "grafana/loki:3.4.2", "Stores log streams from all containers.")
+    Container(promtail, "Promtail", "grafana/promtail:3.4.2", "Ships Docker container logs to Loki via Docker SD")
     Container(grafana, "Grafana", "grafana/grafana", "Dashboards and alerting UI. Data sources: Prometheus + Loki. Wiring TBD — see issue #581.")
 }
 
@@ -34,5 +35,6 @@ Rel(backend, ocr, "OCR job requests with presigned MinIO URL", "HTTP / REST / JS
 Rel(backend, mail, "Sends notification and password-reset emails (optional)", "SMTP")
 Rel(ocr, storage, "Fetches PDF via presigned URL", "HTTP / S3 presigned")
 Rel(mc, storage, "Bootstraps bucket + service account on startup", "MinIO Client CLI")
+Rel(promtail, loki, "Pushes log streams", "HTTP/Loki push API")
 
 @enduml

infra/observability/loki/loki-config.yml

@@ -28,5 +28,13 @@ schema_config:
 limits_config:
   retention_period: 720h  # 30 days — low-volume family archive; revisit if log volume grows
 
+compactor:
+  working_directory: /loki/compactor
+  compaction_interval: 10m
+  retention_enabled: true
+  retention_delete_delay: 2h
+  retention_delete_worker_count: 150
+  delete_request_store: filesystem
+
 analytics:
   reporting_enabled: false  # no telemetry sent to Grafana Labs