feat!: add Postgres RLS as defense-in-depth on team isolation

[FrkAk]

Summary

Task Reference: [MYMR-151]

BREAKING CHANGE: ALL existings DB needs fresh setup or manual migration to RLS

Adds Postgres Row-Level Security as defense-in-depth on team isolation.

DATABASE_URL now connects as app_user (NOBYPASSRLS). Every read/write runs inside withUserContext(userId), which sets the app.user_id GUC before the query. RLS policies on the 8 public-schema tables (projects, tasks, task_edges, task_assignees, task_acceptance_criteria, task_decisions, task_links, team_invite_code) join neon_auth.member on that GUC to enforce team scope.

Three roles split the trust boundary:

• app_user — runtime web requests; SELECT on neon_auth.member/organization/user/invitation only. No access to password hashes, session tokens, OAuth tokens, or JWT keys.
• auth_role — Better Auth runtime; full DML on neon_auth.*, zero grants on public.*.
• service_role — migrations + two documented bypass call sites (clearOrgMembershipArtifacts, listOrgProjectIdsAsAdmin).

SECURITY DEFINER helpers cover the invite-code join flow and admin lookups so app_user never touches neon_auth.* directly. team_invite_code writes are admin/owner-only; reads are member-only. Cycle detection in edge mutations runs inside the same RLS frame as the insert. withUserContext rejects non-UUID userId at the helper boundary. ESLint forbids bare db.transaction(…) outside lib/db/rls.ts, and a branded Conn parameter on every internal helper turns future bare-call regressions into TypeScript compile errors.

Closes MYMR-151.

Type of change

• Bug fix
• New feature
• Refactor / cleanup
• Documentation

Testing

• Tested locally with bun run dev
• Linting passes (bun run lint)
• Typecheck passes (bun run typecheck)

Additional:

• bun run build — passes
• bun run test:db — 137 pass / 0 fail / 7 skip (RLS-only tests skip under BYPASSRLS lane)
• bun run test:rls — 263 pass / 0 fail under app_user
• EXPLAIN confirms InitPlan hoists the GUC subselect