feat(03-03): wire get_current_user into /api/topics/*; add load_topics_for_user; POST /api/admin/topics

- api/topics.py: add get_current_user dep to all 5 handlers (list, create, update, delete, suggest)
- list_topics: uses load_topics_for_user (system topics + user's own) with user-scoped doc counts
- create_topic: passes user_id=current_user.id (never creates system topics via regular endpoint)
- update_topic/delete_topic: ownership assertion — system topics and other users' topics return 404
- api/admin.py: add SystemTopicCreate model + POST /api/admin/topics (user_id=NULL, admin-only)
- services/storage.py: add or_ import; load_topics_for_user (D-17); create_topic gains user_id param with namespace-scoped dedup; topic_doc_counts gains optional user_id for user-scoped counts; add load_topics_for_user to __all__
- services/classifier.py: replace load_topics with load_topics_for_user(doc.user_id); pass user_id=doc.user_id to create_topic for AI-suggested topics (D-11)
- Tests: update all topic tests to pass auth headers; implement test_topic_namespace, test_admin_create_system_topic, test_regular_user_cannot_create_system_topic, test_topics_require_auth

backend/services/storage.py

@@ -28,7 +28,7 @@ import uuid
 from datetime import datetime, timezone
 from typing import Optional
 
-from sqlalchemy import select, delete, text
+from sqlalchemy import select, delete, text, or_
 from sqlalchemy import func as sql_func
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -258,6 +258,24 @@ async def load_topics(session: AsyncSession) -> list:
     ]
 
 
+async def load_topics_for_user(session: AsyncSession, user_id: uuid.UUID) -> list:
+    """Return system topics (user_id IS NULL) + the user's own topics, ordered by name.
+
+    D-08 + D-17 + DOC-04: layered topic namespace. System topics are visible to all
+    users; per-user topics are visible only to their owner. A user's topic list is
+    the union of both sets.
+    """
+    q = await session.execute(
+        select(Topic).where(
+            or_(Topic.user_id == user_id, Topic.user_id.is_(None))
+        ).order_by(Topic.name)
+    )
+    return [
+        {"id": str(t.id), "name": t.name, "description": t.description, "color": t.color}
+        for t in q.scalars()
+    ]
+
+
 async def save_topics(session: AsyncSession, topics: list) -> None:
     """Idempotent bulk replace — delete all Topic rows then insert the list.
 
@@ -293,11 +311,35 @@ async def create_topic(
     name: str,
     description: str = "",
     color: str = "#6366f1",
+    user_id: Optional[uuid.UUID] = None,
 ) -> dict:
-    """Create a topic, or return the existing one (case-insensitive deduplication)."""
-    q = await session.execute(
-        select(Topic).where(sql_func.lower(Topic.name) == name.lower())
-    )
+    """Create a topic, or return the existing one (case-insensitive, namespace-scoped dedup).
+
+    D-08: user_id=None creates a system topic (visible to all users).
+    D-08: user_id=<uuid> creates a per-user topic (visible only to that user).
+
+    Deduplication is scoped by user_id namespace:
+      - System topics (user_id=None) dedup against other system topics only
+      - Per-user topics dedup within that user's namespace only
+    This allows "Finance" to exist as both a system topic and a per-user topic.
+
+    SQLite note: Uses a branching approach instead of IS NOT DISTINCT FROM
+    (SQLite doesn't support that PostgreSQL construct for NULL comparison).
+    """
+    if user_id is None:
+        q = await session.execute(
+            select(Topic).where(
+                sql_func.lower(Topic.name) == name.lower(),
+                Topic.user_id.is_(None),
+            )
+        )
+    else:
+        q = await session.execute(
+            select(Topic).where(
+                sql_func.lower(Topic.name) == name.lower(),
+                Topic.user_id == user_id,
+            )
+        )
     existing = q.scalars().first()
     if existing is not None:
         return {
@@ -307,7 +349,7 @@ async def create_topic(
             "color": existing.color,
         }
 
-    topic = Topic(name=name, description=description, color=color)
+    topic = Topic(name=name, description=description, color=color, user_id=user_id)
     session.add(topic)
     await session.commit()
     return {
@@ -361,13 +403,27 @@ async def delete_topic(session: AsyncSession, topic_id: str) -> Optional[str]:
     return name
 
 
-async def topic_doc_counts(session: AsyncSession) -> dict:
-    """Return a mapping of topic name -> document count."""
-    q = await session.execute(
+async def topic_doc_counts(
+    session: AsyncSession, user_id: Optional[uuid.UUID] = None
+) -> dict:
+    """Return a mapping of topic name -> document count.
+
+    If user_id is provided, counts only documents belonging to that user.
+    This ensures a user sees the count of their own documents for each topic,
+    not the global count across all users.
+    """
+    stmt = (
         select(Topic.name, sql_func.count(DocumentTopic.document_id))
         .join(DocumentTopic, DocumentTopic.topic_id == Topic.id, isouter=True)
-        .group_by(Topic.name)
     )
+    if user_id is not None:
+        stmt = stmt.join(
+            Document, Document.id == DocumentTopic.document_id, isouter=True
+        ).where(
+            or_(Document.user_id == user_id, Document.user_id.is_(None))
+        )
+    stmt = stmt.group_by(Topic.name)
+    q = await session.execute(stmt)
     return {name: count for name, count in q}
 
 
@@ -422,6 +478,7 @@ __all__ = [
     "update_document_topics",
     "remove_topic_from_all_documents",
     "load_topics",
+    "load_topics_for_user",
     "save_topics",
     "get_topic",
     "create_topic",