bug(security): Storage rules let any authenticated user delete any recipe image

[roiguri]

Source: Deep code review — docs/code-review-2026-05.md (finding S1, P0). Verified still present in code on 2026-06-08.

Where: storage.rules:22 and storage.rules:45

allow delete: if isAuthenticated();

Issue: No owner/manager check. Any signed-in user can delete another user's recipe images and media-instruction files — destructive, trivially exploitable.

Fix: Restrict delete to manager (and/or owner). Add an isManager() helper to storage.rules (Firestore cross-service firestore.get() is supported), or gate on owner metadata (see R5 in the review doc — set uploadedBy: uid on upload, check resource.metadata.uploadedBy == request.auth.uid || isManager()).

Verification: Add a Storage Rules unit test (@firebase/rules-unit-testing) attempting delete as a non-manager — must fail.

Effort: ~30 min + tests. Highest risk/effort ratio of the open security findings.