Fix REST delete endpoint returning 403 when serverOnlyFields configured

[pubkey]

This PR contains:

• A BUGFIX
• IMPROVED TESTS

Describe the problem you have without this PR

The REST /delete endpoint returns a 403 Forbidden error when serverOnlyFields is configured on the endpoint. This occurs because the delete handler passes full documents (including server-only fields) to the changeValidator, which rejects them since the validation wrapper checks for the presence of server-only fields.

Solution

Strip server-only fields from documents before passing them to the changeValidator in the delete handler, making the behavior consistent with the /set endpoint which already performs this filtering.

Changes

• src/plugins/server/endpoint-rest.ts: Modified the delete handler to call removeServerOnlyFields() on documents before validation, matching the pattern used in the set endpoint
• test/unit/endpoint-rest.test.ts: Added test case verifying that document deletion works correctly when serverOnlyFields is configured
• CHANGELOG.md: Documented the bug fix

Test Plan

Added unit test 'should allow deleting documents when serverOnlyFields is set' that:

1. Creates a collection with a document
2. Sets up a REST endpoint with serverOnlyFields configured
3. Verifies deletion succeeds and the document is removed from the collection

Existing tests continue to pass, confirming no regression in other delete scenarios.

https://claude.ai/code/session_01RM8ozNUej31tH5dCBvmaop