feat(routes): add server-side WRITE_ALL guard on write-only routes

Block direct URL navigation to /persons/new, /documents/new,
/documents/:id/edit for users without WRITE_ALL permission.
E2E tests verify admin user retains access to all write routes.

Closes #17
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/documents/new/+page.server.ts

@@ -1,9 +1,12 @@
-import { fail, redirect } from '@sveltejs/kit';
+import { error, fail, redirect } from '@sveltejs/kit';
 import { env } from '$env/dynamic/private';
 import { createApiClient } from '$lib/api.server';
 import { parseBackendError, getErrorMessage } from '$lib/errors';
 
-export async function load({ fetch }) {
+export async function load({ fetch, locals }: { fetch: typeof globalThis.fetch; locals: App.Locals }) {
+	const canWrite = locals.user?.groups?.some((g: { permissions: string[] }) => g.permissions.includes('WRITE_ALL')) ?? false;
+	if (!canWrite) throw error(403, 'Forbidden');
+
 	const api = createApiClient(fetch);
 	const personsResult = await api.GET('/api/persons');