fix(auth): proxy document file requests server-side to prevent Basic Auth popup

Client-side fetch('/api/documents/{id}/file') bypassed the handleFetch hook
that injects the Authorization header, causing the browser to receive a 401
with WWW-Authenticate: Basic and show a native auth dialog.

Added a SvelteKit server route at /api/documents/[id]/file that proxies the
request through the server, where handleFetch injects the auth cookie correctly.

Also fixed E2E default password (admin → admin123) to match application.yaml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/e2e/auth.setup.ts

@@ -9,11 +9,11 @@ const authFile = path.join(__dirname, '.auth/user.json');
  * Logs in once and saves the session cookie so all E2E tests can reuse it.
  * Configure credentials via environment variables:
  *   E2E_USERNAME  (default: admin)
- *   E2E_PASSWORD  (default: admin)
+ *   E2E_PASSWORD  (default: admin123)
  */
 setup('authenticate', async ({ page }) => {
 	const username = process.env.E2E_USERNAME ?? 'admin';
-	const password = process.env.E2E_PASSWORD ?? 'admin';
+	const password = process.env.E2E_PASSWORD ?? 'admin123';
 
 	await page.goto('/login');
 	await page.getByLabel('Benutzername').fill(username);

frontend/e2e/helpers/auth.ts

@@ -3,7 +3,7 @@ import type { Page } from '@playwright/test';
 export async function login(
 	page: Page,
 	username = process.env.E2E_USERNAME ?? 'admin',
-	password = process.env.E2E_PASSWORD ?? 'admin'
+	password = process.env.E2E_PASSWORD ?? 'admin123'
 ) {
 	await page.goto('/login');
 	await page.getByLabel('Benutzername').fill(username);