feat(db): enforce runtime RLS boundaries

docs/runbooks/dev-setup.md

@@ -64,12 +64,13 @@ codex review --base origin/main
 - Copy `.env.example` to `.env` before running app/database commands.
 - `bun run db:seed` refreshes the committed fixture household and is destructive for previously seeded fixture rows.
 - Local bot feature flags come from env presence:
-  - finance commands require `DATABASE_URL` plus household setup in Telegram via `/setup`
-  - purchase ingestion requires `DATABASE_URL` plus a bound purchase topic via `/bind_purchase_topic`
-  - anonymous feedback requires `DATABASE_URL` plus a bound feedback topic via `/bind_feedback_topic`
-  - reminders require `DATABASE_URL` plus `SCHEDULER_SHARED_SECRET` or `SCHEDULER_OIDC_ALLOWED_EMAILS`
+  - mini app auth and mini app API routes require `APP_DATABASE_URL`
+  - finance commands require `WORKER_DATABASE_URL` plus household setup in Telegram via `/setup`
+  - purchase ingestion requires `WORKER_DATABASE_URL` plus a bound purchase topic via `/bind_purchase_topic`
+  - anonymous feedback requires `WORKER_DATABASE_URL` plus a bound feedback topic via `/bind_feedback_topic`
+  - reminders require `WORKER_DATABASE_URL` plus `SCHEDULER_SHARED_SECRET` or `SCHEDULER_OIDC_ALLOWED_EMAILS`
     and optionally use a dedicated reminders topic via `/bind_reminders_topic`
-  - mini app CORS can be constrained with `MINI_APP_ALLOWED_ORIGINS`
+  - mini app CORS must be set explicitly with `MINI_APP_ALLOWED_ORIGINS`
 - Migration workflow is documented in `docs/runbooks/migrations.md`.
 - Destructive dev reset guidance is documented in `docs/runbooks/dev-reset.md`.
 - First deploy flow is documented in `docs/runbooks/first-deploy.md`.

docs/runbooks/first-deploy.md

@@ -12,7 +12,10 @@ Execute the first real deployment with a repeatable sequence that covers infrast
   - GCP project
   - GitHub repo settings
   - Telegram bot token
-  - Supabase project and database URL
+  - Supabase project and three database URLs:
+    - owner `DATABASE_URL` for migrations only
+    - `APP_DATABASE_URL` for authenticated request paths
+    - `WORKER_DATABASE_URL` for bot and scheduler workers
 
 ## Required Configuration Inventory
 
@@ -28,7 +31,8 @@ Required in your environment `*.tfvars`:
 
 Recommended:
 
-- `database_url_secret_id = "database-url"`
+- `app_database_url_secret_id = "app-database-url"`
+- `worker_database_url_secret_id = "worker-database-url"`
 - `telegram_bot_token_secret_id = "telegram-bot-token"`
 - `openai_api_key_secret_id = "openai-api-key"`
 - `bot_mini_app_allowed_origins`
@@ -46,10 +50,9 @@ Create the secret resources via Terraform, then add secret versions for:
 - `telegram-bot-token`
 - `telegram-webhook-secret`
 - `scheduler-shared-secret`
-- `database-url`
+- `app-database-url`
+- `worker-database-url`
 - optional `openai-api-key`
-- optional `supabase-url`
-- optional `supabase-publishable-key`
 
 ### GitHub Actions secrets
 
@@ -129,15 +132,19 @@ Use the real project ID from Terraform variables:
 echo -n "<telegram-bot-token>" | gcloud secrets versions add telegram-bot-token --data-file=- --project <project_id>
 echo -n "<telegram-webhook-secret>" | gcloud secrets versions add telegram-webhook-secret --data-file=- --project <project_id>
 echo -n "<scheduler-shared-secret>" | gcloud secrets versions add scheduler-shared-secret --data-file=- --project <project_id>
-echo -n "<database-url>" | gcloud secrets versions add database-url --data-file=- --project <project_id>
+echo -n "<app-database-url>" | gcloud secrets versions add app-database-url --data-file=- --project <project_id>
+echo -n "<worker-database-url>" | gcloud secrets versions add worker-database-url --data-file=- --project <project_id>
 ```
 
 Add optional secret versions only if those integrations are enabled.
 
-For a functional household dev deployment, set `database_url_secret_id = "database-url"` in
-`dev.tfvars` before the apply that creates the Cloud Run services. Otherwise the bot deploys
-without `DATABASE_URL`, and finance commands, reminders, mini app auth/dashboard, and anonymous
-feedback remain disabled.
+For a functional household deployment, set both `app_database_url_secret_id` and
+`worker_database_url_secret_id` in `dev.tfvars` before the apply that creates the Cloud Run
+services. Otherwise the bot deploys without `APP_DATABASE_URL` and `WORKER_DATABASE_URL`, and mini
+app auth, finance commands, reminders, purchase ingestion, and anonymous feedback remain disabled.
+
+Keep `DATABASE_URL` out of normal runtime secrets. It is only required in GitHub Actions for the
+migration step that runs before deploy.
 
 Keep `telegram_bot_token_secret_id = "telegram-bot-token"` aligned with the actual bot token
 secret name. CD uses that secret to sync the Telegram command menu after deploy.
@@ -218,6 +225,9 @@ The smoke script verifies:
 - scheduler endpoint rejects unauthenticated requests
 - Telegram webhook matches the expected URL when bot token is provided
 
+Production deploys should also set `MINI_APP_ALLOWED_ORIGINS` explicitly. The browser path remains
+bot API only; there is no supported direct browser access to Supabase.
+
 ## Phase 8: Scheduler Enablement
 
 First release:

docs/runbooks/migrations.md

@@ -47,9 +47,16 @@ bun run build
 
 ## CD behavior
 
-- CD deploy runs migrations before deploy and now requires the `DATABASE_URL` GitHub secret.
+- CD deploy runs migrations before deploy and requires the owner-only `DATABASE_URL` GitHub secret.
 - If `DATABASE_URL` is missing, CD fails fast instead of deploying schema-dependent code without migrations.
 
+## Runtime connection split
+
+- `DATABASE_URL` is for migrations, schema checks, and other owner-only maintenance tasks.
+- `APP_DATABASE_URL` is for authenticated request paths such as mini app routes.
+- `WORKER_DATABASE_URL` is for Telegram ingestion, reminders, scheduler jobs, and other internal worker flows.
+- Runtime services should not use `DATABASE_URL`.
+
 ## Safety rules
 
 - Prefer additive migrations first (new columns/tables) over destructive changes.