Disclose downstream AGPL changes

[hoogvliets]

This PR discloses the complete downstream source changes made to this AGPL-3.0 project. It is intentionally broad so the original maintainer can inspect the full modified codebase in one place. Smaller topic PRs are also open for easier review.

Scope

• Full downstream application source disclosure from the current working codebase.
• Includes backend, frontend, database, Supabase config, tests, CI, and README updates.
• Excludes local planning files and machine-local artifacts.

Database and Supabase

• Replaces the old single backend/schema.sql setup path with node-pg-migrate migrations.
• Adds one-shot fresh database schema SQL at backend/migrations/000_one_shot_schema.sql.
• Adds RLS policies, auth lookup RPCs, workflow sharing checks, encrypted API key columns, soft-delete profile support, and account deletion jobs.
• Adds local Supabase CLI config under supabase/.

Backend

• Splits the large chat tooling module into focused files for citations, document context, streaming, schemas, tool running, workflow loading, and individual tools.
• Adds account deletion, restore token handling, encrypted user model keys, request logging, LLM rate limiting, PDF queue helpers, validation helpers, and a models endpoint.
• Updates auth, storage, upload, project, document, tabular, workflow, user, download, and LLM provider behavior.

Frontend

• Updates account, project, document, assistant, workflow, and tabular review flows.
• Moves shared providers, contexts, logo, Supabase client, and utilities into the app tree.
• Adds account deletion UI, manifest context, project document panels, explorer panels, and a shared panel divider.

Tests and CI

• Adds Vitest suites for auth hardening, cross-tenant access, DOCX round trips, golden log/SSE behavior, integration flows, saga behavior, and units.
• Adds fixtures and mocks for R2/document workflows.
• Adds DOCX CI workflow coverage.

Documentation

• Rewrites the README with setup, environment, database, local run, feature, test, deployment, troubleshooting, and license guidance.

Related Smaller PRs

• Disclose frontend app and project workflow updates #128 - Frontend app and project workflow updates.
• Disclose backend test coverage and CI workflow #129 - Backend test coverage and CI workflow.
• Disclose database migrations and Supabase config #130 - Database migrations and Supabase config.
• Disclose backend hardening and route changes #131 - Backend hardening and route changes.

Review Note

• This is the full disclosure branch. If the maintainer prefers incremental review, the smaller PRs above split the same downstream work by area.

[hoogvliets]

For clarity: #127 is the complete downstream AGPL source disclosure in one PR. The smaller PRs (#128, #129, #130, #131) split the same disclosure into review-friendly areas so maintainers can inspect or cherry-pick by topic. I do not expect all of these to be merged as-is; the goal is transparency and source availability for the downstream changes.

[hoogvliets]

Verification update from the downstream disclosure branch:

Checks Run

• npm run build --prefix backend - passed.
• npm run build --prefix frontend - passed.
• npm run test:no-db --prefix backend - passed: 33 files, 155 tests passed, 1 skipped.
• npm run lint --prefix frontend - failed: 34 errors, 70 warnings.

Lint Failure Categories

• React 19 compiler/hook lint findings such as react-hooks/set-state-in-effect and react-hooks/static-components.
• Unescaped entity errors in a few JSX files.
• @typescript-eslint/no-explicit-any in assistant chat code.
• @typescript-eslint/no-require-imports in frontend/src/scripts/convert-courts-to-ts.js.
• Several unused variable and exhaustive-deps warnings.

Secret Scan

• Ran a tracked-source scan for common GitHub, OpenAI, Google, AWS, private key, database URL, and env secret patterns while excluding dependencies/build artifacts.
• Findings were placeholders, test values, config references, or SQL role names; no real tracked secrets were identified in that scan.
• Local backend/.env and frontend/.env.local exist but are ignored by git and were not included in the disclosure PRs.