fix(adr-023/024/025): restaurer diagrammes Mermaid

Les diagrammes Mermaid sont utiles pour visualiser l'architecture
et ne posent pas de problème de doublon code/doc.

Restauration des 3 diagrammes :
- ADR-023 : Flux modération (Client → API → Worker → IA → Dashboard)
- ADR-024 : Stack monitoring (Services → Prometheus/Grafana → Alerting)
- ADR-025 : Architecture secrets (Dev/Prod → Vault → Encryption)

Code textuel (SQL, bash, Go, YAML) reste retiré comme demandé.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

docs/adr/023-architecture-moderation.md

@@ -28,15 +28,54 @@ Architecture hybride **humain + IA** avec file d'attente intelligente.
 
 ### Architecture
 
-**Flux de traitement** :
+```mermaid
-1. **Client** (App Mobile/Web) → Signalement utilisateur
+graph TB
-2. **API Backend** (Fiber) → Endpoint `/moderation/report`
+    subgraph Client["App Mobile/Web"]
-3. **Queue PostgreSQL** → LISTEN/NOTIFY pour dispatch asynchrone
+        Report["Signalement utilisateur"]
-4. **Worker Go** → Goroutine de traitement (transcription + analyse)
+    end
-5. **IA Self-hosted** → Whisper large-v3 (transcription) + distilbert/roberta (NLP)
+
-6. **Cache Redis** → Sorted Sets pour priorisation temps réel
+    subgraph Backend["Backend Go"]
-7. **Dashboard React** → Interface modérateurs avec Wavesurfer.js (player audio)
+        API["API Fiber<br/>/moderation/report"]
-8. **Stockage** → PostgreSQL (signalements + logs audit) + Redis (cache priorisation)
+        Queue["PostgreSQL Queue<br/>LISTEN/NOTIFY"]
+        Worker["Worker Go<br/>(transcription + NLP)"]
+    end
+
+    subgraph AI["IA Self-hosted"]
+        Whisper["Whisper large-v3<br/>(transcription)"]
+        NLP["distilbert<br/>(sentiment + haine)"]
+    end
+
+    subgraph Moderation["Modération Dashboard"]
+        Dashboard["React Dashboard"]
+        Player["Wavesurfer.js<br/>(lecture audio)"]
+    end
+
+    subgraph Storage["Stockage"]
+        DB["PostgreSQL<br/>(signalements + logs)"]
+        Redis["Redis<br/>(priorisation + cache)"]
+    end
+
+    Report --> API
+    API --> Queue
+    Queue --> Worker
+    Worker --> Whisper
+    Whisper --> NLP
+    NLP --> Redis
+    Worker --> DB
+    Dashboard --> Player
+    Dashboard --> Redis
+    Dashboard --> DB
+
+    classDef clientStyle fill:#e3f2fd,stroke:#1565c0
+    classDef backendStyle fill:#fff3e0,stroke:#e65100
+    classDef aiStyle fill:#f3e5f5,stroke:#6a1b9a
+    classDef storageStyle fill:#e8f5e9,stroke:#2e7d32
+
+    class Client,Report clientStyle
+    class Backend,API,Queue,Worker backendStyle
+    class AI,Whisper,NLP aiStyle
+    class Storage,DB,Redis storageStyle
+```
 
 ### Workflow de Traitement
 

docs/adr/024-monitoring-observabilite.md

@@ -31,27 +31,64 @@ Stack **Prometheus + Grafana + Loki** self-hosted avec alerting multi-canal.
 
 ### Architecture
 
-**Services surveillés** :
+```mermaid
-- Backend Go API (métriques Fiber)
+graph TB
-- PostgreSQL (pg_exporter)
+    subgraph Services["Services RoadWave"]
-- Redis (redis_exporter)
+        API["Backend Go API<br/>(Fiber metrics)"]
-- Zitadel (endpoint metrics)
+        DB["PostgreSQL<br/>(pg_exporter)"]
+        Redis["Redis<br/>(redis_exporter)"]
+        Zitadel["Zitadel<br/>(metrics endpoint)"]
+    end
 
-**Stack Monitoring** :
+    subgraph Monitoring["Stack Monitoring"]
-- **Prometheus** : Collecte métriques (scrape), stockage TSDB 15j rétention
+        Prom["Prometheus<br/>(scrape + TSDB)"]
-- **Grafana** : Visualisation dashboards
+        Grafana["Grafana<br/>(dashboards)"]
-- **Loki** : Agrégation logs (chunks compressés, 7j rétention)
+        Loki["Loki<br/>(logs aggregation)"]
-- **Alertmanager** : Routing alertes multi-canal
+        Alert["Alertmanager<br/>(routing)"]
-- **Uptime Kuma** : Checks HTTP externes, SSL monitoring
+        Uptime["Uptime Kuma<br/>(external checks)"]
+    end
 
-**Alerting** :
+    subgraph Notifications["Alerting"]
-- Email (Brevo) : asynchrone, faible intrusivité
+        Email["Email (Brevo)"]
-- Webhook (Slack/Discord) : temps réel, on-call
+        Slack["Webhook Slack/Discord"]
+    end
 
-**Stockage** :
+    subgraph Storage["Stockage"]
-- Prometheus TSDB : métriques 15j
+        PromStorage["Prometheus TSDB<br/>(15j retention)"]
-- Loki chunks : logs 7j
+        LokiStorage["Loki Chunks<br/>(7j retention)"]
-- Backups PostgreSQL : WAL-E continuous vers S3 OVH
+        Backups["Backups PostgreSQL<br/>(S3 OVH)"]
+    end
+
+    API --> Prom
+    DB --> Prom
+    Redis --> Prom
+    Zitadel --> Prom
+
+    API -.->|logs stdout| Loki
+    Prom --> Grafana
+    Loki --> Grafana
+    Prom --> Alert
+
+    Alert --> Email
+    Alert --> Slack
+
+    Uptime -.->|external HTTP checks| API
+    Uptime --> Alert
+
+    Prom --> PromStorage
+    Loki --> LokiStorage
+    DB -.->|WAL-E continuous| Backups
+
+    classDef serviceStyle fill:#e3f2fd,stroke:#1565c0
+    classDef monitoringStyle fill:#fff3e0,stroke:#e65100
+    classDef notifStyle fill:#f3e5f5,stroke:#6a1b9a
+    classDef storageStyle fill:#e8f5e9,stroke:#2e7d32
+
+    class Services,API,DB,Redis,Zitadel serviceStyle
+    class Monitoring,Prom,Grafana,Loki,Alert,Uptime monitoringStyle
+    class Notifications,Email,Slack notifStyle
+    class Storage,PromStorage,LokiStorage,Backups storageStyle
+```
 
 ### Métriques Clés
 

docs/adr/025-securite-secrets.md

@@ -30,15 +30,55 @@ Stratégie **secrets management + encryption at rest + HTTPS** avec stack self-h
 
 ### Architecture Secrets
 
-**Environnements** :
+```mermaid
-- **Développement** : Fichier .env local (non versionné)
+graph TB
-- **Production** : HashiCorp Vault (self-hosted)
+    subgraph Dev["Environnement Dev"]
+        EnvFile[".env file<br/>(local uniquement)"]
+    end
 
-**Flux** :
+    subgraph Prod["Production"]
-1. **Vault** stocke secrets sensibles (JWT signing key, DB credentials, Mangopay API key, encryption master key)
+        Vault["HashiCorp Vault<br/>(secrets storage)"]
-2. **Backend API** récupère secrets depuis Vault au démarrage
+        API["Backend Go API"]
-3. **Encryption layer** : AES-256-GCM pour PII, TLS 1.3 pour transport
+        DB["PostgreSQL<br/>(encrypted at rest)"]
-4. **Stockage** : PostgreSQL (data encrypted at rest), Redis (TLS enabled)
+        Redis["Redis<br/>(TLS enabled)"]
+    end
+
+    subgraph Encryption["Encryption Layer"]
+        AES["AES-256-GCM<br/>(PII encryption)"]
+        TLS["TLS 1.3<br/>(transport)"]
+    end
+
+    subgraph Secrets["Secrets Stockés"]
+        JWT["JWT Signing Key<br/>(RS256 private key)"]
+        DBCreds["DB Credentials<br/>(user/pass)"]
+        Mangopay["Mangopay API Key<br/>(sandbox + prod)"]
+        EncKey["Encryption Master Key<br/>(AES-256)"]
+    end
+
+    EnvFile -.->|dev only| API
+    Vault --> API
+
+    Vault --- JWT
+    Vault --- DBCreds
+    Vault --- Mangopay
+    Vault --- EncKey
+
+    API --> AES
+    API --> TLS
+    AES --> DB
+    TLS --> DB
+    TLS --> Redis
+
+    classDef devStyle fill:#fff3e0,stroke:#e65100
+    classDef prodStyle fill:#e3f2fd,stroke:#1565c0
+    classDef encStyle fill:#f3e5f5,stroke:#6a1b9a
+    classDef secretStyle fill:#ffebee,stroke:#c62828
+
+    class Dev,EnvFile devStyle
+    class Prod,Vault,API,DB,Redis prodStyle
+    class Encryption,AES,TLS encStyle
+    class Secrets,JWT,DBCreds,Mangopay,EncKey secretStyle
+```
 
 ### Secrets Management avec Vault