Redesign doc service UX for scale + add group-based document sharing

- Three-column layout: Sidebar + SourcePanel (views + searchable category tree) + main
- DocumentSlideOver (480px right panel): inline editing, type picker, AI suggestion confirm/reject,
  categories combobox, tags editor, sharing section, raw text, re-analyse/delete actions
- ManageCategoriesDialog: inline rename, delete with confirm, search filter
- DocumentsPage rewrite: filter chip system, multi-file upload queue, drag-and-drop overlay,
  bulk actions bar (share/delete), smart TanStack Query polling, URL-driven view state
- Sidebar simplified: per-category NavLinks removed; Documents = single NavLink under Apps
- Backend: document_shares table (migration 0004), share CRUD endpoints, shared-with-me view,
  N+1-safe share_count via GROUP BY, recipient download access, X-User-Groups header enforcement
- Gateway proxy: injects X-User-Groups header into all document + category proxy requests
- Backend users: GET /api/users/me/groups endpoint for share picker combobox
- CLAUDE.md, STATUS.md files, and changelog updated

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

features/doc-service/STATUS.md

@@ -123,6 +123,23 @@ Controlled via plugin settings (UI accessible to superusers and `doc-service-adm
 
 On startup scan, the watcher walks the watch directory and ingests any PDFs not already in the database (idempotency check by `watch_path`). Subfolders are automatically mapped to categories (e.g. `watch/invoices/bill.pdf` → category "invoices"). No-remove policy: deleting a file from the watch directory does not delete the document record.
 
+### Document sharing (`document_shares`)
+
+Group-based sharing allows a document owner to share a document with all members of any group they belong to. Recipients can view and download the shared document; they cannot edit, re-analyse, delete, or re-share it.
+
+The gateway injects `X-User-Groups: <group_id1>,<group_id2>,...` alongside the existing `X-User-Id` header, so doc-service can evaluate group access without querying the backend DB.
+
+| Method | Path | Auth | Description |
+|--------|------|------|-------------|
+| `GET` | `/documents/shared-with-me` | Any user | Documents shared with the user via their groups; excludes own docs |
+| `GET` | `/documents/{id}/shares` | Owner only | List all groups the document is shared with |
+| `POST` | `/documents/{id}/shares` | Owner only | Share with a group (`{group_id}` in body); group must be in X-User-Groups |
+| `DELETE` | `/documents/{id}/shares/{group_id}` | Owner only | Stop sharing with that group |
+
+`DocumentOut` now includes `share_count: int` — the number of groups the document is shared with.
+
+`GET /documents/{id}/file` also allows access to shared documents (recipients can download).
+
 ### Database migrations
 
 | Revision | Description |
@@ -130,6 +147,7 @@ On startup scan, the watcher walks the watch directory and ingests any PDFs not
 | 0001 | Initial schema (documents, categories, category_assignments) |
 | 0002 | Add `title` column to documents |
 | 0003 | Add `source`, `watch_path`, `suggested_folder`, `suggested_filename` columns |
+| 0004 | Add `document_shares` table (document_id, group_id, shared_by_user_id, created_at) |
 
 Run automatically on container start via `alembic upgrade head`.
 
@@ -168,8 +186,8 @@ file_watcher.py (watchdog Observer, daemon thread)
 
 - **Re-process** — no endpoint to re-trigger AI extraction on an existing document (e.g. after changing the AI model or prompt)
 - **Advanced field-level search** — `search` param matches text fields via ILIKE but does not query into `extracted_data` JSON (e.g. filter by `vendor` or `due_date`)
-- **Bulk operations** — no bulk category assign/remove, no bulk delete
-- **Document sharing** — documents are strictly per-user; no group sharing yet
+- **Bulk operations** — no bulk category assign/remove endpoint (frontend handles bulk delete/share individually)
+- **Advanced field-level search** — `search` matches text fields via ILIKE but does not query into `extracted_data` JSON
 - **Pagination in categories** — categories are returned as a full list (no pagination)
 - **File type** — only PDF supported
 - **Concurrent uploads** — no rate limiting per user
@@ -183,9 +201,10 @@ file_watcher.py (watchdog Observer, daemon thread)
 - [x] Plugin manifest endpoint (`/plugin/manifest`, `/plugin/settings`) for generic settings UI
 - [ ] Advanced filter: query `extracted_data` JSON fields (vendor, due_date, amount) — requires PostgreSQL `jsonb` column or indexed virtual columns
 - [ ] Bulk operations endpoint
-- [ ] Document sharing via groups (blocked on groups/permissions system in backend)
+- [x] Document sharing via groups — `document_shares` table + share endpoints + shared-with-me view
+- [x] Frontend UI for suggestion badges (suggested_folder / suggested_filename confirm/reject buttons in slide-over)
+- [ ] Advanced filter: query `extracted_data` JSON fields (vendor, due_date, amount)
 - [ ] Support additional file types (images via OCR, DOCX)
 - [ ] Rate limiting on upload endpoint
 - [ ] Soft delete with restore
-- [ ] Category rename / delete with cascade handling
-- [ ] Frontend UI for suggestion badges (suggested_folder / suggested_filename confirm/reject buttons)
+- [ ] Edit rights for shared recipients (V2)