fix(moni): address P0/P1 security and reliability issues from adversarial analysis

Implemented critical fixes identified in comprehensive security review:

P0 FIXES (BREAKING - Security Critical):

1. RLS Policy Silent Failure Fixed (database.go:178-280)
   - REMOVED 'true' parameter from current_setting() in all RLS policies
   - WHY: With 'true', missing app.current_team_id returned NULL (silent failure)
   - NOW: Missing app.current_team_id causes ERROR (fail loudly, not silently)
   - IMPACT: Prevents operational nightmare where users see no data
   - EVIDENCE: AWS Prescriptive Guidance, Permit.io RLS best practices

2. Superuser Bypass Verification Added (database.go:312-326)
   - Verifies bionic_application is NOT a superuser after hardening
   - WHY: Superusers bypass ALL RLS policies (makes security useless)
   - CHECK: SELECT rolsuper FROM pg_roles WHERE rolname = 'bionic_application'
   - FAILS if user is superuser with clear remediation steps
   - EVIDENCE: Bytebase "Common Postgres RLS Footguns"

P1 FIXES (CRITICAL - Production Readiness):

3. team_id Index Verification Added (verification.go:306-349)
   - Checks 13 critical tables for team_id indexes
   - WHY: Missing indexes cause O(n) sequential scans on EVERY query
   - WARNS: Lists tables missing indexes with CREATE INDEX commands
   - IMPACT: Prevents major performance issues under load
   - EVIDENCE: AWS RLS recommendations (always index policy columns)

4. Thread-Safe Working Directory Handling (worker.go:34-63, 490-522)
   - REMOVED: os.Chdir() (process-wide, not thread-safe)
   - ADDED: execute.Options.WorkDir for docker compose (thread-safe)
   - WHY: os.Chdir() causes race conditions if called concurrently
   - BENEFIT: Safe for API exposure, concurrent executions

5. Directory Existence Validation (worker.go:40-61)
   - Checks /opt/moni exists before attempting operations
   - Checks docker-compose.yml exists with clear error messages
   - WHY: Prevents confusing errors, provides remediation steps
   - UX: "Run 'eos create moni' first to install Moni"

6. CRITICAL Application Integration Warning (database.go:328-352)
   - Loud, clear warning that app MUST set app.current_team_id
   - Explains impact: queries will ERROR without this
   - Shows example code: SET app.current_team_id = <team_id>
   - WHY: Without this, RLS blocks everything (intentional fail-closed)

P2 FIXES (Important - Pattern Compliance):

7. README.md Created (pkg/moni/README.md) - 581 lines
   - REQUIRED: CLAUDE.md P0 Rule #9 (README in each directory)
   - Documents architecture, security, usage, troubleshooting
   - Includes security checklist, best practices, references
   - Comprehensive guide for maintenance and operations

SECURITY IMPROVEMENTS:

RLS Policies Now Fail Loudly:
  Before: app.current_team_id missing -> returns NULL -> user sees nothing
  After:  app.current_team_id missing -> ERROR: unrecognized parameter

Superuser Check:
  Before: No verification - RLS could be silently bypassed
  After:  Explicit check - fails with clear error if superuser detected

Performance Monitoring:
  Before: No index verification - silent performance degradation
  After:  Warns about missing indexes with remediation SQL

EVIDENCE-BASED:
- PostgreSQL 2024/2025 RLS best practices (AWS, Crunchy Data, Permit.io)
- Docker PostgreSQL SSL patterns (Red Gate, PostgreSQL docs)
- Multi-tenant security patterns (Picus Security, Bytebase)

FILES CHANGED:
- pkg/moni/database.go: RLS policy fix + superuser check + warnings
- pkg/moni/verification.go: team_id index verification
- pkg/moni/worker.go: Thread-safe WorkDir + directory checks
- pkg/moni/README.md: Comprehensive documentation (NEW)

TESTING RECOMMENDED:
1. Verify RLS fails without app.current_team_id set
2. Verify superuser check catches misconfiguration
3. Run --verify-rls to check index status
4. Test concurrent --init calls (thread-safety)

All fixes follow Eos patterns (AIE, structured logging, RuntimeContext).
Zero breaking changes to public API.

Author: claude