Add CI pipeline, test suite, and finance-fork infrastructure

From the PR description

Summary

• GitHub Actions CI - 4 parallel jobs on every push to main and every PR: lint (ESLint), test-unit (vitest), test-e2e (Playwright/Chromium), audit (npm audit --audit-level=high). Uploads test artifacts on failure. Cancels in-progress runs on rapid PR pushes.
• Backend unit tests - 57 vitest tests across auth middleware, project/doc/review access guards, free-tier LLM guard, and AES-256-GCM API key encryption. All mocked, no real Supabase calls, runs in <1s.
• ESLint v9 flat config - typescript-eslint, intentionally permissive on day one so CI doesn't block on existing style.
• Playwright e2e suite - 5 specs (auth, projects, documents, chat, tabular) running against real dev servers on CI's 16 GB Linux runners.
• Free-tier LLM guard - prevents customer documents from being sent to free-tier Gemini models unless explicitly allowlisted via env vars.
• Turbopack workspace root fix - pins turbopack.root to frontend/ to prevent Turbopack from climbing to the repo root, picking up the e2e lockfile, and OOMing the dev server.
• FORK.md - documents upstream/fork relationship, DO NOT PR TO UPSTREAM warning, branch conventions, hard-fork strategy, and AGPL-3.0 obligations.
• npm audit fix - resolved 3 high-severity transitive vulns (xmldom, fast-xml-builder, protobufjs).

Before merging

• Add the 7 required secrets in Settings → Secrets and variables → Actions (see ci.yml header for the full list)
• Confirm CI passes on this PR
• After merge, enable branch protection: Settings → Branches → main → require lint, test-unit, test-e2e, audit
• Rotate Supabase test service_role key and Gemini test key