feat(05-09): authenticated document preview via fetch + Blob URL

- Add fetchDocumentContent() to client.js: fetch with Bearer auth, 401 refresh
  retry pattern, returns raw Response (not parsed JSON) for blob() calls
- Replace iframe :src=proxyUrl (unauthenticated) in DocumentPreviewModal.vue
  with authenticated fetch → blob → URL.createObjectURL; loading/error states;
  URL.revokeObjectURL on unmount to prevent memory leaks
- Replace window.open(rawUrl) in DocumentView.vue openPdf() with
  fetchDocumentContent → blob → objectUrl → window.open; 60s auto-revoke
- Frontend build exits 0 with zero errors
- Closes T-05-09-04: no persistent unauthenticated content exposure

frontend/src/components/documents/DocumentPreviewModal.vue

@@ -23,10 +23,37 @@
     </div>
 
     <!-- iframe content -->
-    <div class="flex-1 overflow-hidden">
+    <div class="flex-1 overflow-hidden relative">
+      <!-- Loading state -->
+      <div
+        v-if="loading"
+        class="absolute inset-0 flex items-center justify-center bg-gray-50"
+      >
+        <div class="flex flex-col items-center gap-3 text-gray-400">
+          <svg class="w-8 h-8 animate-spin" fill="none" viewBox="0 0 24 24">
+            <circle class="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" stroke-width="4"></circle>
+            <path class="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z"></path>
+          </svg>
+          <span class="text-sm">Loading preview…</span>
+        </div>
+      </div>
+
+      <!-- Error state -->
+      <div
+        v-else-if="loadError"
+        class="absolute inset-0 flex items-center justify-center bg-gray-50"
+      >
+        <div class="text-center text-red-500">
+          <p class="font-medium">Preview failed</p>
+          <p class="text-sm mt-1">{{ loadError }}</p>
+        </div>
+      </div>
+
+      <!-- iframe: shown only when blobUrl is ready -->
       <iframe
+        v-if="blobUrl"
         class="w-full h-full border-0"
-        :src="proxyUrl"
+        :src="blobUrl"
         title="Document preview"
       ></iframe>
     </div>
@@ -34,7 +61,8 @@
 </template>
 
 <script setup>
-import { ref, computed, onMounted, onUnmounted } from 'vue'
+import { ref, watch, onMounted, onUnmounted } from 'vue'
+import { fetchDocumentContent } from '../../api/client.js'
 
 const props = defineProps({
   doc: {
@@ -46,8 +74,34 @@ const props = defineProps({
 const emit = defineEmits(['close'])
 
 const overlayRef = ref(null)
+const blobUrl = ref(null)
+const loadError = ref(null)
+const loading = ref(true)
 
-const proxyUrl = computed(() => `/api/documents/${props.doc.id}/content`)
+async function loadContent(docId) {
+  loading.value = true
+  loadError.value = null
+
+  // Revoke previous blob URL to free memory
+  if (blobUrl.value) {
+    URL.revokeObjectURL(blobUrl.value)
+    blobUrl.value = null
+  }
+
+  try {
+    const res = await fetchDocumentContent(docId)
+    if (!res.ok) {
+      loadError.value = `Failed to load document (HTTP ${res.status})`
+      return
+    }
+    const blob = await res.blob()
+    blobUrl.value = URL.createObjectURL(blob)
+  } catch (err) {
+    loadError.value = err.message || 'Failed to load document'
+  } finally {
+    loading.value = false
+  }
+}
 
 function handleOverlayClick(e) {
   if (e.target === overlayRef.value) {
@@ -63,9 +117,20 @@ function handleKeydown(e) {
 
 onMounted(() => {
   document.addEventListener('keydown', handleKeydown)
+  loadContent(props.doc.id)
+})
+
+// Reload if the document changes while modal is open
+watch(() => props.doc.id, (newId) => {
+  loadContent(newId)
 })
 
 onUnmounted(() => {
   document.removeEventListener('keydown', handleKeydown)
+  // Release the object URL to free browser memory
+  if (blobUrl.value) {
+    URL.revokeObjectURL(blobUrl.value)
+    blobUrl.value = null
+  }
 })
 </script>