Security hardening: enable RLS, sanitize errors, validate URLs, gate devtools

[devin-ai-integration]

Summary

Security audit and hardening pass across the codebase. The changes fall into five categories:

1. Enable Supabase Row-Level Security — New migration (20260415_enable_rls_all_tables.sql) enables RLS on all 5 tables and creates CRUD policies for both the anon and authenticated roles. Since the app currently has no authentication flow and uses the anon key exclusively, both roles are granted access. The migration includes comments noting these should be tightened to authenticated-only (or row-owner checks like auth.uid() = owner_id) once an auth flow is added.

2. Validate repo_url before rendering as link — ProjectDetail.tsx now checks that repo_url starts with http:// or https:// before rendering it in an <a href>. Non-HTTP URLs (e.g. javascript:) are rendered as plain text instead.

3. Gate Zustand devtools to dev-only — All 4 stores (projects, tools, sessions, ui) now pass enabled: import.meta.env.DEV so Redux DevTools integration is stripped from production builds.

4. Sanitize Supabase error messages — New src/lib/errors.ts helper (userFacingError) returns a generic message in production to avoid leaking internal table/column names. Applied to all error paths in projects, tools, and sessions stores.

5. Hide ErrorBoundary stack traces in production — The <pre> block in ErrorBoundary.tsx is now gated behind import.meta.env.DEV.

Review & Testing Checklist for Human

• RLS policies are intentionally permissive: The migration enables RLS but grants full access to both anon and authenticated roles — this is a deliberate stepping stone since the app has no auth flow yet. Verify this matches your intent. When you add authentication later, tighten these policies to authenticated-only or add row-owner checks.
• Run the RLS migration against a staging/dev Supabase instance before production to confirm queries still return data as expected.
• Test the repo_url display: Verify that projects with valid https:// URLs still render as clickable links, and that a hypothetical javascript: or malformed URL renders as plain text.
• Verify production build: Run npm run build and confirm the app works — devtools should not appear, error toasts should show "Something went wrong", and the ErrorBoundary should not show stack traces.

Notes

• ESLint passes clean, all 135 existing tests pass.
• npm audit reports 0 vulnerabilities — no dependency changes in this PR.
• The userFacingError helper intentionally shows a single generic message in production. If you want more granularity (e.g., network vs. validation errors), the helper can be extended later.
• No new unit tests were added for the userFacingError helper or the URL validation regex — consider adding these if you'd like coverage on these paths.

Link to Devin session: https://app.devin.ai/sessions/460394d6b50548f194e1cd70a5a2e843
Requested by: @alecvdp

---

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring