rglauco cuts Mike loose from Supabase

Adds an optional AUTH_MODE=local that replaces Supabase with:
- Local PostgreSQL (via pg) for all data storage
- Custom JWT auth (bcrypt + jsonwebtoken) via /auth/login and /auth/register
- PgAdapter: a thin Supabase-compatible query builder over pg.Pool
- DbClient abstraction so all route files work in both modes unchanged

Infrastructure:
- backend/Dockerfile and frontend/Dockerfile for containerised builds
- compose.yml: frontend + backend + postgres with named volumes for persistence
- docker/postgres/init.sql: full schema without Supabase-specific auth tables
- .env.example at repo root with compose variables

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

AuthContext reads localStorage once on mount. After localSignIn() stores
the JWT, the context still had user=null, so the layout redirected back
to /login.

Fix: expose refreshAuth() in the context and call it immediately after
localSignIn/localSignUp so the state is updated before router.push().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

createClient("", "") throws when NEXT_PUBLIC_SUPABASE_URL is not set,
crashing any page that imports supabase. Two fixes:

1. supabase.ts: use dummy localhost URL when Supabase is not configured
   so the module loads safely; add getSessionToken() that returns the
   local JWT or Supabase session token based on NEXT_PUBLIC_AUTH_MODE.

2. Replace all supabase.auth.getSession() calls in hooks and components
   with getSessionToken() so they work in both auth modes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Three bugs in local/Docker mode:

1. PgAdapter.maybeSingle() returned the full rows array instead of a
   single row because _run() only checked _singleMode, not
   _maybeSingleMode. All routes using maybeSingle() got an array back
   and treated it as "not found" → "Chat not found" on every POST /chat.

2. JavaScript arrays passed to pg as query parameters are formatted as
   PostgreSQL array literals {a,b} which is invalid for jsonb columns.
   Fixed in PgAdapter insert/update to JSON.stringify arrays before
   binding.

3. Plain strings inserted into jsonb columns (chat_messages.content for
   user messages) are not valid JSON, causing the INSERT to fail
   silently. Fixed by JSON.stringify-ing string content in chat.ts,
   projectChat.ts and tabular.ts before the INSERT.

Also added missing `workflow jsonb` column to chat_messages in both
init.sql and schema.sql - the backend was already inserting this field.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Two bugs:

1. PgAdapter upsert with only the conflict column (e.g. upsert({ user_id })
   on conflict user_id) produced "DO UPDATE SET " with an empty SET
   clause - invalid SQL. Now falls through to DO NOTHING when updateCols
   is empty, and supports the Supabase ignoreDuplicates:true option.
   This fixed "syntax error at end of input" on ensureProfileRow calls.

2. resolveTitleModel checked "apiKeys.ollama !== undefined" to detect
   Ollama, but the apiKeys object always initialises ollama: null (not
   undefined), so the condition was always true - every user with no cloud
   keys got title_model = local-gemma-26b which doesn't exist on Ollama.
   Fixed to check hasEnvOllama() || key.trim(), and when Ollama is the
   provider, reuse the user's configured tabular model (which they know is
   installed) instead of a hardcoded default.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>