Disclose backend test coverage and CI workflow

From the PR description

Part of the downstream AGPL disclosure. This PR isolates backend test coverage and CI additions for easier review.

Scope

• Backend test suites, fixtures, Vitest configs, package script/dependency updates, and DOCX CI workflow.
• Full disclosure PR: #127.

Test Infrastructure

• Adds Vitest config files for no-db, DOCX, golden log, auth hardening, saga, and broader integration suites.
• Adds backend package scripts for running each suite directly.
• Adds test dependencies such as Vitest and Supertest.

Auth and Access Tests

• Adds auth hardening coverage for cache behavior, failure modes, OR filters, empty emails, people lookup, and random UUID imports.
• Adds cross-tenant access matrix tests, shared-user tests, helper shape tests, explain helpers, seed helpers, setup, and teardown.

Document and Chat Tests

• Adds DOCX round-trip fixtures and tests, including insertion, deletion, replacement, tables, bullets, headings, Unicode, smart quotes, nonbreaking spaces, and edge cases.
• Adds golden log/SSE tests for citations, reasoning, and tool-call event behavior.
• Adds unit coverage for chat tool dispatch, citation parsing, JSON parsing, edit status hydration, and replicate limits.

Integration and Saga Tests

• Adds integration coverage for API keys, audit logs, deleted auth handling, chat stream failures, crypto round trips, account deletion/restore, document version concurrency, upload validation, downloads, generated titles, model endpoints, tabular flows, workers, and built-in workflows.
• Adds saga tests for edit resolution, fan-out bounds, reuse-version behavior, and unique version handling.

CI

• Adds .github/workflows/test-docx.yml for DOCX test coverage in GitHub Actions.

Review Note

• Some tests exercise backend behavior disclosed in #130 and #131, so they may not all pass independently on upstream main without those source changes.