fix(auth): proxy document file requests server-side to prevent Basic Auth popup

Client-side fetch('/api/documents/{id}/file') bypassed the handleFetch hook
that injects the Authorization header, causing the browser to receive a 401
with WWW-Authenticate: Basic and show a native auth dialog.

Added a SvelteKit server route at /api/documents/[id]/file that proxies the
request through the server, where handleFetch injects the auth cookie correctly.

Also fixed E2E default password (admin → admin123) to match application.yaml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/api/documents/[id]/file/+server.ts

@@ -0,0 +1,19 @@
+import type { RequestHandler } from './$types';
+import { env } from 'process';
+
+export const GET: RequestHandler = async ({ params, fetch }) => {
+    const backendUrl = `${env.API_INTERNAL_URL || 'http://localhost:8080'}/api/documents/${params.id}/file`;
+
+    const response = await fetch(backendUrl);
+
+    if (!response.ok) {
+        return new Response(null, { status: response.status });
+    }
+
+    return new Response(response.body, {
+        headers: {
+            'Content-Type': response.headers.get('Content-Type') ?? 'application/octet-stream',
+            'Content-Disposition': response.headers.get('Content-Disposition') ?? ''
+        }
+    });
+};