test(e2e): add coverage for all 12 critical journeys (TEST-3 #405)

Adds docs/audits/e2e-coverage-report.md mapping all 12 critical journeys
to their test files. Fills the 6 coverage gaps with new e2e tests:

- J1: Register via invite code (auth.spec.ts)
- J3: Edit document tags via TagInput (documents.spec.ts)
- J4: Create brand-new tag via TagInput (documents.spec.ts)
- J5: Add SPOUSE_OF relationship on person edit page (persons.spec.ts)
- J6: Multi-filter search (text + date, text + tagId) (documents.spec.ts)
- J10: Notification bell opens dropdown (notification-deep-link.spec.ts)
- J11: Non-admin blocked from /admin/* (permissions.spec.ts)
- J12: Mass import trigger shows status (admin.spec.ts)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/e2e/permissions.spec.ts

@@ -84,4 +84,19 @@ test.describe('Read-only user — no write controls visible', () => {
 		await expect(page).not.toHaveURL('/documents/new');
 		await page.screenshot({ path: 'test-results/e2e/permissions-reader-no-new-doc-direct.png' });
 	});
+
+	// J11: non-admin user is blocked from /admin/*
+	test('navigating to /admin shows a 403 error — not the admin panel', async ({ page }) => {
+		await page.goto('/admin');
+		// The admin layout throws 403 for any user without an admin permission.
+		// SvelteKit renders the error page — verify the admin panel does NOT load.
+		await expect(page.getByRole('button', { name: 'Benutzer', exact: true })).not.toBeVisible({
+			timeout: 5000
+		});
+		// The error page should be visible instead (SvelteKit error renders the status code).
+		await expect(page.getByText(/403|Zugriff verweigert|Forbidden/i)).toBeVisible({
+			timeout: 5000
+		});
+		await page.screenshot({ path: 'test-results/e2e/permissions-reader-admin-blocked.png' });
+	});
 });