feat(observability): tag Sentry events for SQLSTATE 42501 RLS violations

[webdevcom01-cell]

What

Extends sentry.server.config.ts beforeSend to detect and tag PostgreSQL RLS violation errors before they reach Sentry.

Why

Without this, a leaked RLS violation (SQLSTATE 42501) arrives in Sentry as a generic Prisma error — buried in noise, no grouping, no alert. With this, every 42501 is immediately visible as fatal with a single fingerprint.

Changes

sentry.server.config.ts — adds isRlsViolation() helper + extends beforeSend:

function isRlsViolation(event: Sentry.ErrorEvent): boolean {
  return event.exception?.values?.some(
    (ex) =>
      ex.value?.includes("42501") ||
      ex.value?.toLowerCase().includes("row-level security") ||
      ex.value?.toLowerCase().includes("insufficient privilege")
  ) ?? false;
}

On match, beforeSend sets:

Field	Value	Effect
fingerprint	['rls-policy-violation-42501']	All violations group into one Sentry issue
tags.rls_violation	'true'	Filterable in Sentry, alertable via alert rules
tags.sqlstate	'42501'	Explicit DB error code visible in issue detail
level	'fatal'	Surfaces above normal errors in Sentry inbox

Only sentry.server.config.ts changed — SQLSTATE 42501 is a server-side Prisma/PostgreSQL error, never reaches client or edge runtime.

Test plan

• pnpm typecheck passes (no Sentry.ErrorEvent type errors)
• CI passes
• Manual: trigger a test 42501 error via psql as app_user without org context → confirm Sentry receives event with rls_violation=true tag and fatal level