Row Level Security — every table, no exceptions
Postgres RLS is enabled on every table. Every policy is scoped by org_id = current_org_id(). Verified in CI: zero tables without RLS, zero over-permissive policies, zero unconstrained write paths. A CI tripwire (tests/service-role-allowlist.test.ts) blocks any unreviewed RLS-bypass from reaching production.