feat(rls): Phase 1 #7 — HeartbeatConfig RLS + callsite fixes

[webdevcom01-cell]

Summary

• Migration 20260601000000_rls_phase1_heartbeatconfig: TENANT_DIRECT RLS on HeartbeatConfig (SELECT/INSERT/UPDATE/DELETE policies + composite organizationId, id index)
• BullMQ worker (heartbeat-worker.ts): wraps heartbeatConfig.findUnique in withOrgContext(prisma, organizationId, …) using explicit organizationId from job.data — ALS is empty in BullMQ workers (confirmed in Migration chore(deps): bump node from 20-alpine to 25-alpine #3 audit)
• Scheduler (heartbeat-scheduler.ts): scheduleHeartbeat and unscheduleHeartbeat gain organizationId: string | null param; all heartbeatConfig reads/writes wrapped with withOrgContext
• Route (/api/agents/[agentId]/heartbeat): GET and DELETE fetch organizationId via separate agent lookup (same pattern as permissions route); POST uses organizationId from validated body
• Template engine: exportTemplate wraps agent+include query in withOrgContext to prevent silent null on heartbeatConfig include under RLS; importTemplate wraps heartbeatConfig.create

Test plan

• pnpm precheck — 4/4 pass (TypeScript, vitest 4119 tests, lucide mocks, placeholder strings) ✅
• CI green
• E2E: existing JWTSessionError flake is pre-existing — ignore
• After merge: apply migration to Railway prod DB, verify heartbeat config still readable with RLS flag off
• Flag-on smoke: RLS_ENFORCEMENT_ENABLED=true in test org — POST heartbeat config, confirm no 42501

RLS state after this PR

Phase 1: 7/14 live — OrganizationMember, Invitation, CompanyMission, Department, Goal, AgentPermissionGrant, HeartbeatConfig

🤖 Generated with Claude Code