feat: enable RLS on all Supabase tables and document security model (#242)

[devendra-w]

Summary

Enables Row Level Security (RLS) on all Supabase tables and documents the security model. Users can now only access their own rows across all tables. supabaseAdmin (service role key) correctly bypasses RLS for trusted server-side operations.
Closes #242

Type of Change

• Bug fix
• New feature
• Documentation update
• Refactor / code cleanup

Changes Made

• Added supabase/migrations/20260517000000_enable_rls.sql — enables RLS and adds SELECT/INSERT/UPDATE/DELETE policies on users, goals, and metric_snapshots tables
• Updated SECURITY.md — added Row Level Security section documenting protected tables, policies, and security principles

How to Test

1. Apply the migration: supabase db push
2. In Supabase dashboard → Authentication → Policies — verify RLS is enabled on all tables
3. Test with anon key — verify it cannot access another user's rows
4. Test with service role key — verify it can access all rows (bypasses RLS)

Screenshots (if UI change)

N/A

Checklist

• Linked issue in summary
• npm run lint passes locally
• Self-reviewed the diff
• Added/updated tests if applicable

[vercel]

@devendra-w is attempting to deploy a commit to the PRIYANSHU DOSHI's projects Team on Vercel.

A member of the Team first needs to authorize it.