docs(03-03): complete per-user document and topic isolation plan

- 03-03-SUMMARY.md: documents all endpoint auth guards, ownership assertions, namespace isolation pattern, and SQLite compat deviations
- STATE.md: advance to Plan 3/5 complete, add 6 key decisions (get_regular_user, 404-not-403, CASE WHEN, or_/is_(None), AI user namespace)
- ROADMAP.md: mark 03-03-PLAN.md complete
- REQUIREMENTS.md: mark SEC-04 and DOC-04 complete

.planning/codebase/ARCHITECTURE.md

@@ -100,7 +100,9 @@ All state is stored on the local filesystem — no database:
 ## Constraints & Notable Decisions
 
 - All CORS origins allowed (`allow_origins=["*"]`) — suitable for local dev, not production
-- No authentication or user model
+- **Auth dependency chain (Phase 2+):** `get_current_user` (validates JWT, returns User) → `get_current_admin` (requires role=admin) / `get_regular_user` (requires role!=admin, 403 for admin accounts on document endpoints). `get_regular_user` enforces SEC-04: admin accounts cannot read document content (CLAUDE.md).
+- **Ownership assertion pattern (Phase 3+):** Every `/api/documents/*` handler asserts `doc.user_id == current_user.id` before returning — raises 404 (not 403) to prevent information leakage (D-16, T-03-11). Cross-user access and non-existence are indistinguishable.
+- **Topic namespace model (Phase 3+):** `user_id=NULL` = system topic (visible to all); `user_id=<uuid>` = per-user topic. `load_topics_for_user(session, user_id)` returns union via `or_(Topic.user_id == user_id, Topic.user_id.is_(None))`. Admin creates system topics via `POST /api/admin/topics`.
 - Single-worker assumption for file locking (does not scale to multiple uvicorn workers)
 - AI provider re-instantiated per request (no connection reuse)
 - Data directory is volume-mounted in Docker; no backup or migration strategy