docs(06.2): create 4-plan phase covering SHARE-03, SHARE-05, cloud-delete, ADMIN-06

Wave 0: 11 xfail stubs across test_shares/test_documents/test_audit
Wave 1 (parallel): SHARE-05 badge + SHARE-03 permission control; cloud-delete propagation
Wave 2: audit handle enrichment, user_handle filter, CSV fetch+Blob, daily-export UI

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.planning/ROADMAP.md

@@ -1,6 +1,6 @@
 # DocuVault — v1 Roadmap
 
-_Last updated: 2026-05-25_
+_Last updated: 2026-05-31_
 
 ## Mandatory Cross-Cutting Gates (every phase)
 
@@ -320,21 +320,41 @@ Before any phase is marked complete, all three gates must pass:
 
 ### Phase 6.2: Close v1 sharing + cloud-delete + CSV export gaps
 
-**Goal**: Close remaining v1 gaps — sharing edge cases, cloud document deletion propagation to the remote backend, and CSV export for the admin audit log.
+**Goal**: Close remaining v1 gaps — sharing edge cases (SHARE-03/SHARE-05), cloud document deletion propagation to the remote backend, and CSV export + daily export UI for the admin audit log (ADMIN-06).
 **Mode:** mvp
 **Depends on**: Phase 6.1
-**Requirements**: TBD
+**Requirements**: SHARE-03, SHARE-05, ADMIN-06
 
 **Success Criteria** (what must be TRUE):
 
-1. TBD
+1. Documents shared with others display a "Shared" badge in the owner's list view (reads doc.is_shared, not doc.share_count)
+2. Owner can set permission to "view" or "edit" when creating a share and toggle it per-recipient afterward; PATCH /api/shares/{id} enforces IDOR protection (404 on wrong owner)
+3. Deleting a cloud document propagates the delete to the cloud provider; failure shows a warning modal with "Remove from app" fallback; ?remove_only=true removes only the DB record; cloud docs never affect quota on delete
+4. Admin can download filtered audit log CSV via fetch+Blob (not window.location.href); audit log entries show user handles instead of raw UUIDs; user filter accepts handles (not UUIDs)
+5. Admin can list and download Celery-generated daily audit export files from a new section in the Audit Log tab
 
-**Plans**: TBD
+**Plans**: 4 plans
+
+**Wave 0** — Test stubs
+
+- [ ] 06.2-01-PLAN.md — 11 xfail stubs across test_shares.py, test_documents.py, test_audit.py
+
+**Wave 1** — Feature slices (parallel)
+
+- [ ] 06.2-02-PLAN.md — SHARE-05 badge fix + SHARE-03 permission control (backend PATCH + frontend dropdown + toggle)
+- [ ] 06.2-03-PLAN.md — Cloud-delete propagation + structured error response + remove_only path + DocumentView warning modal
+
+**Wave 2** — Audit log enrichment
+
+- [ ] 06.2-04-PLAN.md — Audit handle JOIN + user_handle filter + CSV fetch+Blob fix + daily-export list + download endpoints + AuditLogTab UI
 
 **Phase gates (must pass before Phase 6.2 is complete):**
 
-- [ ] `pytest -v` — zero failures
+- [ ] `pytest -v` — zero failures; all 11 promoted tests passing
 - [ ] Security agent: bandit + pip audit + npm audit all clean
+- [ ] IDOR on PATCH /api/shares/{id}: test_share_patch_idor passes
+- [ ] Date regex validation confirmed: GET /api/admin/audit-log/daily-exports/invalid-date returns 404
+- [ ] window.location.href removed from AuditLogTab.vue confirmed by grep
 
 ---
 
@@ -349,4 +369,4 @@ Before any phase is marked complete, all three gates must pass:
 | 5. Cloud Storage Backends | 12/12 | Complete | 2026-05-30 |
 | 6. Performance & Production Hardening | 0/TBD | Not started | — |
 | 6.1. Close v1.0 audit gaps | 2/2 | Complete | 2026-05-30 |
-| 6.2. Close v1 sharing + cloud-delete + CSV export gaps | 0/TBD | Not started | — |
+| 6.2. Close v1 sharing + cloud-delete + CSV export gaps | 0/4 | Not started | — |