fix: address Task 6 quality review — rename helper, restore 403 for intra-account, add docs test

- Rename _get_tree_or_403 → _get_tree_or_404 in maintenance_schedules.py
  (function now raises 404, old name was misleading)
- Restore HTTP 403 for intra-account permission failures in update_tree:
  same-account users who can see a tree but can't edit it got 404 (wrong);
  only cross-account lookups should return 404 to avoid confirming existence
- Apply same 403/404 distinction to update_tree_visibility
- Add test: get_documentation must return 404 for cross-user session access
- Add comment documenting owner-only design for documentation endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/tests/test_tenant_isolation_p0.py

@@ -548,3 +548,31 @@ async def test_maintenance_schedule_returns_404_for_other_team(
     assert resp.status_code == 404, (
         f"Expected 404 for cross-team maintenance schedule access, got {resp.status_code}: {resp.text}"
     )
+
+
+@pytest.mark.asyncio
+async def test_get_documentation_returns_404_for_other_user_session(
+    client: AsyncClient, test_db: AsyncSession
+):
+    """GET /ai-sessions/{id}/documentation must return 404 (not 403) for cross-user access."""
+    from app.models.ai_session import AISession
+
+    acct_a, user_a, pass_a = await _create_account_and_user(test_db, "doc-a")
+    acct_b, user_b, pass_b = await _create_account_and_user(test_db, "doc-b")
+
+    session_b = AISession(
+        user_id=user_b.id,
+        account_id=acct_b.id,
+        problem_summary="B's confidential session",
+        problem_domain="networking",
+        status="resolved",
+    )
+    test_db.add(session_b)
+    await test_db.commit()
+
+    headers_a = await _login(client, user_a.email, pass_a)
+    resp = await client.get(
+        f"/api/v1/ai-sessions/{session_b.id}/documentation",
+        headers=headers_a,
+    )
+    assert resp.status_code == 404, f"Expected 404, got {resp.status_code}: {resp.text}"