docs: replace daedalus-service basic auth with per-user DRF tokens

docs/DAEDALUS_PALLAS_INTEGRATION_v1.md

@@ -367,9 +367,12 @@ Mnemosyne validates the JWT against `MCPSigningKey` keyed by `kid`.
 
 ## 7. REST API — Mnemosyne team lifecycle
 
-All endpoints live under `/mcp_server/api/teams/` and are protected
-by the existing `daedalus-service` HTTP Basic account (same auth as
-`/library/api/workspaces/` and `/library/api/ingest/`).
+All endpoints live under `/mcp_server/api/teams/` and are authenticated
+as the Mnemosyne user the team belongs to via a per-user DRF token
+(`Authorization: Token <key>`, surfaced on `/profile/settings/`). Each
+team has an `owner` FK; non-owners receive 404 (never 403) so a team's
+existence isn't disclosed across users. `/library/api/workspaces/` and
+`/library/api/ingest/` use the same per-user auth model.
 
 ### 7.1 `POST /mcp_server/api/teams/`
 Create a team.
@@ -733,7 +736,8 @@ escape hatch for hard compartmentalization.
 * `TeamWorkspaceAssignment` PUT is idempotent and replaces, not
   unions.
 * `/mcp_server/api/teams/` endpoints: create, delete, rotate,
-  workspaces PUT, all authenticated as `daedalus-service`.
+  workspaces PUT, all authenticated with a per-user DRF token and
+  scoped to the team's `owner` (non-owner requests return 404).
 
 ### 14.2 Daedalus test surface
 * `on_pallas_registered` populates `team_jwt_encrypted` and transitions