test(6.1): add SHARE-03 and SHARE-05 Nyquist gap tests

- test_share_default_permission_view: asserts permission='view' in POST
  response and owner's GET /api/shares list (SHARE-03)
- test_share_indicator_in_owner_list: asserts is_shared flips True in
  owner's GET /api/documents after sharing (SHARE-05)

All 14 phase tests now pass (9 shares + 5 audit).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/tests/test_shares.py

@@ -264,3 +264,82 @@ async def test_share_duplicate(async_client, auth_user, second_auth_user, db_ses
     assert second_resp.status_code == 409, (
         f"Duplicate share should return 409, got {second_resp.status_code}"
     )
+
+
+# ---------------------------------------------------------------------------
+# SHARE-03: View-only default permission
+# ---------------------------------------------------------------------------
+
+
+async def test_share_default_permission_view(async_client, auth_user, second_auth_user, db_session):
+    """Shares default to permission='view'; owner's share list confirms this (SHARE-03)."""
+    doc_id = await _make_doc(db_session, auth_user)
+
+    # Create share — POST response must include permission=view
+    resp = await async_client.post(
+        "/api/shares",
+        json={
+            "document_id": doc_id,
+            "recipient_handle": second_auth_user["user"].handle,
+        },
+        headers=auth_user["headers"],
+    )
+    assert resp.status_code == 201
+    body = resp.json()
+    assert body["permission"] == "view", (
+        f"Expected permission='view' in POST /api/shares response, got {body.get('permission')!r}"
+    )
+
+    # GET owner's share list for this doc also reports permission=view
+    list_resp = await async_client.get(
+        "/api/shares",
+        params={"document_id": doc_id},
+        headers=auth_user["headers"],
+    )
+    assert list_resp.status_code == 200
+    items = list_resp.json()["items"]
+    assert len(items) == 1
+    assert items[0]["permission"] == "view", (
+        f"Expected permission='view' in share list, got {items[0].get('permission')!r}"
+    )
+
+
+# ---------------------------------------------------------------------------
+# SHARE-05: Shared indicator in owner's document list
+# ---------------------------------------------------------------------------
+
+
+async def test_share_indicator_in_owner_list(async_client, auth_user, second_auth_user, db_session):
+    """Owner's document list shows is_shared=True after sharing the document (SHARE-05)."""
+    doc_id = await _make_doc(db_session, auth_user)
+
+    # Before sharing: is_shared must be False
+    pre_resp = await async_client.get("/api/documents", headers=auth_user["headers"])
+    assert pre_resp.status_code == 200
+    pre_items = pre_resp.json()["items"]
+    pre_match = [item for item in pre_items if item["id"] == doc_id]
+    assert len(pre_match) == 1
+    assert pre_match[0]["is_shared"] is False, (
+        f"Expected is_shared=False before sharing, got {pre_match[0].get('is_shared')!r}"
+    )
+
+    # Share the document
+    share_resp = await async_client.post(
+        "/api/shares",
+        json={
+            "document_id": doc_id,
+            "recipient_handle": second_auth_user["user"].handle,
+        },
+        headers=auth_user["headers"],
+    )
+    assert share_resp.status_code == 201
+
+    # After sharing: is_shared must be True in owner's document list
+    post_resp = await async_client.get("/api/documents", headers=auth_user["headers"])
+    assert post_resp.status_code == 200
+    post_items = post_resp.json()["items"]
+    post_match = [item for item in post_items if item["id"] == doc_id]
+    assert len(post_match) == 1
+    assert post_match[0]["is_shared"] is True, (
+        f"Expected is_shared=True after sharing, got {post_match[0].get('is_shared')!r}"
+    )