feat: category scopes, group-admin role, and permission model

- Three category scopes: personal / group / system (watch)
- PascalCase-with-dashes naming convention enforced at backend + frontend
- is_group_admin flag on GroupMembership; PATCH endpoint for admins to toggle it
- Categories router: scope-based list/create/rename/delete with _check_can_manage_cat
- Documents router: delete uses is_admin + can_delete share flag + group-admin check; remove_category requires doc ownership; assign_category accepts group/system categories
- Proxy layers inject x-user-is-admin and x-user-admin-groups headers
- Frontend: ManageCategoriesDialog grouped by scope with lock icons; SourcePanel scope picker + client-side name validation; AdminGroupsPage group-admin checkbox

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

features/doc-service/app/routers/documents.py

@@ -13,7 +13,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
 
 from app.database import AsyncSessionLocal, get_db
-from app.deps import get_user_groups, get_user_id
+from app.deps import get_user_admin_groups, get_user_groups, get_user_id, get_user_is_admin
 from app.models.category import DocumentCategory
 from app.models.category_assignment import CategoryAssignment
 from app.models.document import Document
@@ -479,14 +479,59 @@ async def reprocess_document(
 async def delete_document(
     doc_id: str,
     user_id: str = Depends(get_user_id),
+    is_admin: bool = Depends(get_user_is_admin),
+    user_groups: list[str] = Depends(get_user_groups),
+    user_admin_groups: list[str] = Depends(get_user_admin_groups),
     db: AsyncSession = Depends(get_db),
 ) -> None:
+    # Fetch the document (owner, watch, or shared with user's groups)
     result = await db.execute(
-        select(Document).where(Document.id == doc_id, Document.user_id == user_id)
+        select(Document).where(
+            Document.id == doc_id,
+            or_(
+                Document.user_id == user_id,
+                Document.user_id == _WATCH_USER_ID,
+                Document.id.in_(
+                    select(DocumentShare.document_id).where(
+                        DocumentShare.group_id.in_(user_groups)
+                    )
+                ) if user_groups else False,
+            ),
+        )
     )
     doc = result.scalar_one_or_none()
     if doc is None:
         raise HTTPException(status_code=404, detail="Document not found")
+
+    is_owner = doc.user_id == user_id
+
+    if not is_owner and not is_admin:
+        # Check: shared with a group where the user has can_delete=True
+        can_delete_via_share = False
+        if user_groups:
+            share_result = await db.execute(
+                select(DocumentShare).where(
+                    DocumentShare.document_id == doc_id,
+                    DocumentShare.group_id.in_(user_groups),
+                    DocumentShare.can_delete.is_(True),
+                )
+            )
+            can_delete_via_share = share_result.scalar_one_or_none() is not None
+
+        # Check: user is a group admin for a group the doc is shared with
+        can_delete_as_group_admin = False
+        if user_admin_groups:
+            admin_share_result = await db.execute(
+                select(DocumentShare).where(
+                    DocumentShare.document_id == doc_id,
+                    DocumentShare.group_id.in_(user_admin_groups),
+                )
+            )
+            can_delete_as_group_admin = admin_share_result.scalar_one_or_none() is not None
+
+        if not can_delete_via_share and not can_delete_as_group_admin:
+            raise HTTPException(status_code=403, detail="Not allowed to delete this document")
+
     delete_file(doc.file_path)
     await db.delete(doc)
     await db.commit()
@@ -537,6 +582,7 @@ async def assign_category(
     doc_id: str,
     cat_id: str,
     user_id: str = Depends(get_user_id),
+    user_groups: list[str] = Depends(get_user_groups),
     db: AsyncSession = Depends(get_db),
 ) -> None:
     doc_result = await db.execute(
@@ -548,9 +594,15 @@ async def assign_category(
     if doc_result.scalar_one_or_none() is None:
         raise HTTPException(status_code=404, detail="Document not found")
 
+    # Accept personal, group (user is a member), or system categories
     cat_result = await db.execute(
         select(DocumentCategory).where(
-            DocumentCategory.id == cat_id, DocumentCategory.user_id == user_id
+            DocumentCategory.id == cat_id,
+            or_(
+                DocumentCategory.user_id == user_id,
+                DocumentCategory.group_id.in_(user_groups) if user_groups else False,
+                DocumentCategory.scope == "system",
+            ),
         )
     )
     if cat_result.scalar_one_or_none() is None:
@@ -574,6 +626,13 @@ async def remove_category(
     user_id: str = Depends(get_user_id),
     db: AsyncSession = Depends(get_db),
 ) -> None:
+    # Only the document owner may remove a category assignment
+    doc_result = await db.execute(
+        select(Document).where(Document.id == doc_id, Document.user_id == user_id)
+    )
+    if doc_result.scalar_one_or_none() is None:
+        raise HTTPException(status_code=403, detail="Only the document owner can remove category assignments")
+
     result = await db.execute(
         select(CategoryAssignment).where(
             CategoryAssignment.document_id == doc_id,