docs(03): create Phase 3 execution plan — document migration & multi-user isolation

5 plans across 5 sequential waves covering: Alembic migration 0003 (null-user
cleanup, NOT NULL constraint, quota reconciliation), presigned MinIO PUT upload
flow with atomic quota enforcement, auth guards on all document/topic endpoints,
flat-file settings retirement + per-user AI classification, and frontend quota bar
with 3-step XHR upload progress.

Verification passed across all 12 dimensions. All 8 phase requirements covered
(STORE-03/04/05/06, SEC-04, DOC-03/04/05).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.planning/ROADMAP.md

@@ -88,7 +88,30 @@ _Last updated: 2026-05-22_
 4. Requesting a document object key or presigned URL for a document owned by a different user returns 403 — no cross-user object access is possible through any request parameter manipulation; all /api/documents/* endpoints enforce get_current_user and return 403 when the requesting user's role is admin (completing SC5 from Phase 2)
 5. AI classification for each document uses the provider and model assigned to that user by the admin, not any user-supplied or default value
 
-**Plans**: TBD
+**Plans**: 5 plans
+
+**Wave 1** — Migration + test scaffolds
+- [ ] 03-01-PLAN.md — Wave 0 test scaffolds (auth_user/admin_user/MinIO mock fixtures + 16 xfail stubs) + Alembic migration 0003 (null-user cleanup, NOT NULL constraint, topic cleanup, quota reconciliation, ix_topics_user_id)
+
+**Wave 2** *(blocked on Wave 1)*
+- [ ] 03-02-PLAN.md — Presigned upload backend: StorageBackend ABC + MinIOBackend dual client + generate_presigned_put_url/stat_object + /api/documents/upload-url + /api/documents/{id}/confirm with atomic quota UPDATE + GET /api/auth/me/quota + delete-with-quota + abandoned-upload Celery beat + docker-compose CORS/celery-beat
+
+**Wave 3** *(blocked on Wave 2)*
+- [ ] 03-03-PLAN.md — Auth guards: get_regular_user dep + ownership assertions on every /api/documents/* handler (404 not 403) + admin 403 + real user_id in object_key + namespace-scoped /api/topics/* + POST /api/admin/topics + classifier topic-namespace plumbing
+
+**Wave 4** *(blocked on Wave 3)*
+- [ ] 03-04-PLAN.md — Settings retirement + per-user AI: delete /api/settings + remove load_settings/save_settings + classifier accepts ai_provider/ai_model kwargs + Celery task resolves user.ai_provider via DB + frontend SettingsView placeholder + remove settings store/API
+
+**Wave 5** *(blocked on Wave 4)*
+- [ ] 03-05-PLAN.md — Frontend upload flow + quota bar: 3-step upload action with XHR progress + UploadProgress.vue progress bar and quota rejection error block + QuotaBar.vue + AppSidebar embed + quota state in auth store + human checkpoint
+
+**Cross-cutting constraints:**
+- Atomic quota UPDATE pattern only lives in Plan 02; never duplicate (CLAUDE.md)
+- Every /api/documents/* handler injects get_regular_user (Plan 03)
+- AI provider/model resolved only via Celery task DB lookup (Plan 04)
+- Browser XHR PUT to MinIO sends NO Authorization header (Plan 05)
+
+**UI hint**: yes
 
 ---
 
@@ -134,6 +157,6 @@ _Last updated: 2026-05-22_
 |-------|----------------|--------|-----------|
 | 1. Infrastructure Foundation | 5/5 | Complete | 2026-05-22 |
 | 2. Users & Authentication | 5/5 | Complete | 2026-05-22 |
-| 3. Document Migration & Multi-User Isolation | 0/? | Not started | - |
+| 3. Document Migration & Multi-User Isolation | 0/5 | Not started | - |
 | 4. Folders, Sharing, Quotas & Document UX | 0/? | Not started | - |
 | 5. Cloud Storage Backends | 0/? | Not started | - |