feat(phase-4): complete UX redesign — FileManagerView, FolderTreeItem, test suite, and all Phase 4 fixes

Adds the unified file manager view (Windows Explorer-style), collapsible
folder tree sidebar item, full vitest test suite (55 tests, 4 files), and
commits all Phase 4 backend/frontend fixes that were staged but uncommitted.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/api/topics.py

@@ -7,7 +7,7 @@ from fastapi import APIRouter, Depends, HTTPException
 from pydantic import BaseModel
 from sqlalchemy.ext.asyncio import AsyncSession
 
-from db.models import Topic, User
+from db.models import Document, Topic, User
 from deps.auth import get_current_user
 from deps.db import get_db
 from services import classifier, storage
@@ -137,10 +137,18 @@ async def suggest_topics(
     """Suggest topics for a document using AI.
 
     D-11: classifier uses the user's namespace (system + user topics) for suggestions.
+    D-16 / SEC-IDOR: asserts document ownership — cross-user access returns 404
+    to prevent document ID enumeration (same pattern as documents router).
     """
-    meta = await storage.get_metadata(session, body.document_id)
-    if meta is None:
+    try:
+        uid = uuid.UUID(body.document_id)
+    except ValueError:
         raise HTTPException(404, "Document not found")
+
+    doc = await session.get(Document, uid)
+    if doc is None or doc.user_id != current_user.id:
+        raise HTTPException(404, "Document not found")
+
     try:
         suggestions = await classifier.suggest_topics_for_document(session, body.document_id)
     except Exception as e: