Restrict document edit/delete to owners and close public registration

Adds DocumentPolicy gating update/delete to the creator (admins bypass via
before()), invokes $this->authorize() in DocumentEditor mount/save/delete,
applies can:update,document on the edit route, hides the edit button for
non-owners, and removes the open /register routes so accounts must be
provisioned via the admin panel.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/routes/auth.php

@@ -7,16 +7,10 @@
 use App\Http\Controllers\Auth\NewPasswordController;
 use App\Http\Controllers\Auth\PasswordController;
 use App\Http\Controllers\Auth\PasswordResetLinkController;
-use App\Http\Controllers\Auth\RegisteredUserController;
 use App\Http\Controllers\Auth\VerifyEmailController;
 use Illuminate\Support\Facades\Route;
 
 Route::middleware('guest')->group(function () {
-    Route::get('register', [RegisteredUserController::class, 'create'])
-        ->name('register');
-
-    Route::post('register', [RegisteredUserController::class, 'store']);
-
     Route::get('login', [AuthenticatedSessionController::class, 'create'])
         ->name('login');
 

src/routes/web.php

@@ -44,7 +44,9 @@
     // 認証が必要なルート（より具体的なルートを先に定義）
     Route::middleware('auth')->group(function () {
         Route::get('/create', DocumentEditor::class)->name('create');
-        Route::get('/{document}/edit', DocumentEditor::class)->name('edit');
+        Route::get('/{document}/edit', DocumentEditor::class)
+            ->middleware('can:update,document')
+            ->name('edit');
     });
 
     // 公開ルート（動的ルートは最後に）