### 1. Einen "Gast" User erstellen (Muss vom Admin gemacht werden)
# Wir lassen groupIds leer -> Der User hat KEINE Rechte
POST http://localhost:8080/api/admin/users
Authorization: Basic admin admin123
Content-Type: application/json

{
  "username": "Gast_User",
  "email": "gast@test.de",
  "initialPassword": "gast",
  "groupIds": []
}

### 2. POSITIV-TEST: Admin darf Admin-Endpunkt aufrufen -> Sollte 200 OK sein
GET http://localhost:8080/api/admin/users
Authorization: Basic admin admin123

### 3. NEGATIV-TEST: Gast darf KEINEN Admin-Endpunkt aufrufen -> Sollte 403 Forbidden sein
GET http://localhost:8080/api/admin/users
Authorization: Basic Gast_User gast

### 4. ABER: Gast darf normale Dokumenten-API nutzen (sofern er eingeloggt ist) -> 200 OK
GET http://localhost:8080/api/documents/upload
Authorization: Basic Gast_User gast
# (Gibt 405 Method Not Allowed zurück, weil es ein POST Endpunkt ist, 
# aber das beweist, dass Auth geklappt hat. Bei Auth-Fehler käme 401/403)

###Groups
#GET
GET http://localhost:8080/api/admin/tags
Authorization: Basic admin admin123

### One-time backfill: re-sync already-stale auto-titles (#726)
# RUNBOOK: a one-shot ADMIN maintenance call, NOT part of normal operation. Run it ONCE
# after deploying #726 to clean the existing backlog of stale titles (e.g. a title still
# showing "2028" after the date was corrected to "1928"). It is synchronous and idempotent
# — a second run returns {"count": 0} and writes nothing. Hit the backend DIRECTLY on
# port 8080 (NOT through the SvelteKit proxy) so the sweep can't trip the proxy timeout.
# Returns {"count": <documents rewritten>}.
POST http://localhost:8080/api/admin/backfill-titles
Authorization: Basic admin admin123

### NEGATIV-TEST: ein Nicht-Admin darf den Backfill NICHT auslösen -> 403 Forbidden
POST http://localhost:8080/api/admin/backfill-titles
Authorization: Basic Gast_User gast