No way to delete owned documents from web UI or via session-authenticated API

[solowlr]

Summary

Document owners have no way to delete documents created through the Proof web UI.

Steps to reproduce

1. Create a document via the web UI at proofeditor.ai (logged in as owner)
2. Open the three-dot menu -- options are: Library, New document, Log out. No delete option.
3. Try the API: POST /api/documents/:slug/delete with session cookie -- returns 403 Not authorized to delete document
4. Try DELETE /api/documents/:slug with session cookie -- same 403

Root cause

The delete routes in server/routes.ts (lines 1787 and 1881) check canOwnerMutate(req, doc), which requires the ownerSecret token in the Authorization header. Session-based authentication is not sufficient.

For documents created via the web UI, the ownerSecret is never displayed to the user. It is only returned in the JSON response from POST /documents, which is consumed by the frontend and not surfaced.

Expected behavior

Authenticated document owners should be able to delete their own documents via:

• A "Delete" option in the editor UI menu, OR
• Session-authenticated API calls (the server already knows the user is the owner)

Environment

• Hosted proofeditor.ai
• Authenticated as document owner
• Document slug: 75ynjpbd (blank/untitled, created via web UI)