feat: document delete permissions + three-dots menu portal fix

- Add can_delete column to document_shares (migration 0005)
- Inject x-user-is-admin header from backend proxy to doc-service
- Add get_user_is_admin() dep in doc-service
- Delete endpoint now allows: owner, admin, or group member with can_delete=true
- Watch documents (user_id='watch') deletable by admins only
- DocumentOut gains viewer_can_delete (computed per-request)
- Share UI: 'Allow group members to delete' checkbox + trash badge on shares
- RowActionsMenu dropdown portaled to document.body — fixes overflow-hidden clipping
- Delete mutation onError handler — no more silent failures

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

features/doc-service/app/deps.py

@@ -21,3 +21,11 @@ async def get_user_groups(x_user_groups: str = Header(default="")) -> list[str]:
     if not x_user_groups:
         return []
     return [g.strip() for g in x_user_groups.split(",") if g.strip()]
+
+
+async def get_user_is_admin(x_user_is_admin: str = Header(default="false")) -> bool:
+    """
+    Extract the admin flag injected by the main backend proxy.
+    Returns True only if the header value is exactly "true" (lowercase).
+    """
+    return x_user_is_admin.lower() == "true"