Disclose database migrations and Supabase config

From the PR description

Part of the downstream AGPL disclosure. This PR isolates database migration and Supabase configuration changes for easier review.

Scope

• Database schema management, migration files, one-shot schema, Supabase local config, and package/env updates needed for migrations.
• Full disclosure PR: #127.

Migration System

• Adds node-pg-migrate scripts for migrating up, rolling back one migration, and creating new migrations.
• Adds migration dependencies and lockfile updates.
• Replaces the previous monolithic backend/schema.sql setup path.

Schema Changes

• Adds baseline migration scaffolding.
• Adds auth user lookup RPC support.
• Adds PDF conversion status fields.
• Adds UUID foreign key and billing cleanup changes.
• Adds review document count selection helpers.

Security and Account Lifecycle

• Adds RLS policies for cross-tenant protection.
• Adds workflow sharing checks.
• Adds encrypted API key schema support.
• Adds soft-delete user profile support.
• Adds account deletion job schema support.

Fresh Database Setup

• Adds backend/migrations/000_one_shot_schema.sql for fresh Supabase databases.
• Adds supabase/config.toml and supabase/.gitignore for local Supabase CLI workflows.

Environment Updates

• Documents direct DATABASE_URL usage for migration execution.
• Adds env slots for anon-key testing, encryption, restore tokens, and rate limiting.

Review Note

• Runtime code that consumes these schema changes is disclosed in #131, and frontend flows that expose them are disclosed in #128.