RLS + tenant isolation

Every shop-scoped table enforces row-level security. A query can only ever see the rows belonging to the authenticated shop.

• All shop-scoped tables enforce RLS.
• Two-shop isolation tests run on every release.
• Service-role RPCs are the only path for privileged operations.

Shop A can never retrieve shop B’s data — this is verified automatically, not just by convention.