docs: teams / orgs / collaboration implementation plan

[PolGuixe]

Adds docs/TEAMS_AND_ORGS_PLAN.md — a full implementation plan for multi-tenant
collaboration, plus a README link.

Locked scope

• Shared access + pessimistic document locking (no real-time CRDT)
• Organization → Team → resources (two-level tenancy)
• Granular RBAC (permission catalogue)
• Keep Supabase Auth (ADR-1) — adapt cpatpa/PIP's data model, not its auth stack

What the doc covers

• Target data model (orgs/teams/members/roles/permissions/invitations/locks/audit) with SQL sketches
• RLS strategy that also closes upstream issue [Security][Critical] No Row Level Security on any application table — one accidental GRANT = total multi-tenant data breach willchen96/mike#144 (we currently have 0 RLS policies)
• Folds in the user_id text → uuid migration (issue [Low] Most user_id columns are text — no FK referential integrity to auth.users willchen96/mike#104 / PR fix: migration to convert user_id text → uuid with FK to auth.users willchen96/mike#113) as Phase 0
• Backend + frontend surface, zero-loss migration/backfill of legacy shared_with
• 8-phase delivery (~9–12 wk solo, ~5–7 wk for two), risks, testing strategy (tenant-isolation first)
• A mapping table from PIP's files to our equivalents

Notes

• Docs only — no runtime/CI/config changes.
• Phase 0 (RLS + uuid migration) is a standalone security win and can ship first.
• §13 lists open questions for sign-off before Phase 1.

🤖 Generated with Claude Code