diff --git a/docs/architecture/c4-diagrams.md b/docs/architecture/c4-diagrams.md
index e8df323a..ef158937 100644
--- a/docs/architecture/c4-diagrams.md
+++ b/docs/architecture/c4-diagrams.md
@@ -73,16 +73,16 @@ C4Component
     ContainerDb(db, "PostgreSQL")
 
     System_Boundary(backend, "API Backend (Spring Boot)") {
-        Component(secFilter, "Security Filter Chain", "Spring Security", "Enforces authentication on all requests. Parses Basic Auth header and validates credentials via BCrypt.")
+        Component(secFilter, "Security Filter Chain", "Spring Security", "Enforces authentication on all requests. Parses Basic Auth header and validates credentials via BCrypt. Permits password-reset, invite, and register endpoints without authentication.")
         Component(permAspect, "PermissionAspect", "Spring AOP", "Intercepts methods annotated with @RequirePermission. Checks user's granted authorities against the required permission. Throws 401/403 if denied.")
         Component(secConf, "SecurityConfig", "Spring @Configuration", "Configures filter chain: all routes require authentication, CSRF disabled, BCrypt password encoder, DaoAuthenticationProvider with CustomUserDetailsService.")
-        Component(userDetails, "CustomUserDetailsService", "Spring Security UserDetailsService", "Loads AppUser by username from DB. Converts group permissions to Spring GrantedAuthority objects.")
+        Component(userDetails, "CustomUserDetailsService", "Spring Security UserDetailsService", "Loads AppUser by email from DB. Converts group permissions to Spring GrantedAuthority objects. Logs unknown permissions.")
     }
 
     Rel(frontend, secFilter, "All requests", "HTTP / Basic Auth header")
     Rel(secFilter, permAspect, "Authenticated requests proceed to guarded methods", "AOP @Around")
     Rel(secConf, userDetails, "Wires as UserDetailsService", "")
-    Rel(userDetails, db, "Loads user by username", "JDBC")
+    Rel(userDetails, db, "Loads user by email", "JDBC")
 ```
 
 ### 3b — Document, File & Import Domain