- Fix doc-service delete endpoint: admins could not delete non-owned,
non-shared documents — they hit 404 because the initial query filtered
by owner/watch/group even before the is_admin bypass was checked.
Admins now get an unconditional fetch, consistent with intent.
- Add 18 new checklist tests covering: group admin role (4.9–4.10),
delete permission variants (12.16b–12.16e), can_delete sharing
(13.11–13.14), category scopes / PascalCase naming (14.7–14.17),
and three-dots portal fix (19.11).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All API calls now go through a thin request() wrapper around native fetch.
Removes the axios dependency entirely. The wrapper injects the JWT on every
request and — the key fix — clears localStorage and redirects to /login on
any 401 response, so expired sessions no longer leave users on broken pages.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
curo1305