docs(c4): add L3 backend 3a security and 3b document management

docs/architecture/c4/l3-backend-3a-security.puml

@@ -0,0 +1,21 @@
+@startuml
+!include <C4/C4_Component>
+
+title Component Diagram: API Backend — Security & Authentication
+
+Container(frontend, "Web Frontend", "SvelteKit")
+ContainerDb(db, "PostgreSQL", "PostgreSQL 16")
+
+System_Boundary(backend, "API Backend (Spring Boot)") {
+    Component(secFilter, "Security Filter Chain", "Spring Security", "Enforces authentication on all requests. Parses Basic Auth header and constructs an Authentication token; delegates credential validation to DaoAuthenticationProvider via BCrypt. Permits password-reset, invite, and register endpoints without authentication.")
+    Component(permAspect, "PermissionAspect", "Spring AOP", "Intercepts methods annotated with @RequirePermission. Checks user's granted authorities against the required permission. Throws 401/403 if denied.")
+    Component(secConf, "SecurityConfig", "Spring @Configuration", "Configures filter chain: all routes require authentication, CSRF disabled, BCrypt password encoder, DaoAuthenticationProvider with CustomUserDetailsService.")
+    Component(userDetails, "CustomUserDetailsService", "Spring Security UserDetailsService", "Loads AppUser by email from DB. Converts group permissions to Spring GrantedAuthority objects. Logs unknown permissions.")
+}
+
+Rel(frontend, secFilter, "All requests", "HTTP / Basic Auth header")
+Rel(secFilter, permAspect, "Authenticated requests reach guarded service methods")
+Rel(secConf, userDetails, "Wires as UserDetailsService")
+Rel(userDetails, db, "Loads user by email", "JDBC")
+
+@enduml