feat(03-02): implement presigned upload flow, quota enforcement, cleanup task

- Replace POST /api/documents/upload with POST /api/documents/upload-url + /{id}/confirm
- upload-url: create pending Document row with user_id=None (Wave 2), return presigned PUT URL
- confirm: stat MinIO for authoritative size (T-03-05), atomic quota UPDATE (T-03-06, STORE-03)
- Confirm returns 413 with {used_bytes, limit_bytes, rejected_bytes} on quota exceeded (STORE-05)
- Wave 2 guard: skip quota UPDATE when doc.user_id is None (Plan 03-03 removes this)
- Add GET /api/auth/me/quota to api/auth.py (STORE-04)
- services/storage.py: remove save_upload (D-04); add GREATEST(0, used_bytes-delta) quota decrement to delete_document (STORE-06)
- tasks/document_tasks.py: add cleanup_abandoned_uploads Celery beat task (D-06)
- celery_app.py: add beat_schedule for cleanup-abandoned-uploads every 30 minutes
- tests/test_documents.py: replace legacy /upload tests with xfail; add real test logic for upload-url/confirm/get-quota
- tests/test_quota.py: implement real test logic with xfail for PostgreSQL-specific SQL

backend/api/auth.py

@@ -387,6 +387,24 @@ async def get_me(current_user: User = Depends(get_current_user)):
     return _user_dict(current_user)
 
 
+# ── GET /api/auth/me/quota ────────────────────────────────────────────────────
+
+@router.get("/me/quota")
+async def get_my_quota(
+    current_user: User = Depends(get_current_user),
+    session: AsyncSession = Depends(get_db),
+):
+    """Return the current user's quota usage (STORE-04).
+
+    Returns {"used_bytes": int, "limit_bytes": int} for the sidebar quota bar.
+    Quota row is created at registration (100 MB default — STORE-01).
+    """
+    q = await session.get(Quota, current_user.id)
+    if q is None:
+        raise HTTPException(status_code=404, detail="Quota not found")
+    return {"used_bytes": q.used_bytes, "limit_bytes": q.limit_bytes}
+
+
 # ── POST /api/auth/change-password ───────────────────────────────────────────
 
 @router.post("/change-password")