feat(#351): Implement RLS context interceptor (fix SEC-API-4)

Implements Row-Level Security (RLS) context propagation via NestJS interceptor and AsyncLocalStorage.

Core Implementation:
- RlsContextInterceptor sets PostgreSQL session variables (app.current_user_id, app.current_workspace_id) within transaction boundaries
- Uses SET LOCAL for transaction-scoped variables, preventing connection pool leakage
- AsyncLocalStorage propagates transaction-scoped Prisma client to services
- Graceful handling of unauthenticated routes
- 30-second transaction timeout with 10-second max wait

Security Features:
- Error sanitization prevents information disclosure to clients
- TransactionClient type provides compile-time safety, prevents invalid method calls
- Defense-in-depth security layer for RLS policy enforcement

Quality Rails Compliance:
- Fixed 154 lint errors in llm-usage module (package-level enforcement)
- Added proper TypeScript typing for Prisma operations
- Resolved all type safety violations

Test Coverage:
- 19 tests (7 provider + 9 interceptor + 3 integration)
- 95.75% overall coverage (100% statements on implementation files)
- All tests passing, zero lint errors

Documentation:
- Comprehensive RLS-CONTEXT-USAGE.md with examples and migration guide

Files Created:
- apps/api/src/common/interceptors/rls-context.interceptor.ts
- apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
- apps/api/src/common/interceptors/rls-context.integration.spec.ts
- apps/api/src/prisma/rls-context.provider.ts
- apps/api/src/prisma/rls-context.provider.spec.ts
- apps/api/src/prisma/RLS-CONTEXT-USAGE.md

Fixes #351

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/common/interceptors/rls-context.interceptor.ts

@@ -0,0 +1,155 @@
+import {
+  Injectable,
+  NestInterceptor,
+  ExecutionContext,
+  CallHandler,
+  Logger,
+  InternalServerErrorException,
+} from "@nestjs/common";
+import { Observable } from "rxjs";
+import { finalize } from "rxjs/operators";
+import type { PrismaClient } from "@prisma/client";
+import { PrismaService } from "../../prisma/prisma.service";
+import { runWithRlsClient } from "../../prisma/rls-context.provider";
+import type { AuthenticatedRequest } from "../types/user.types";
+
+/**
+ * Transaction-safe Prisma client type that excludes methods not available on transaction clients.
+ * This prevents services from accidentally calling $connect, $disconnect, $transaction, etc.
+ * on a transaction client, which would cause runtime errors.
+ */
+export type TransactionClient = Omit<
+  PrismaClient,
+  "$connect" | "$disconnect" | "$transaction" | "$on" | "$use"
+>;
+
+/**
+ * RlsContextInterceptor sets Row-Level Security (RLS) session variables for authenticated requests.
+ *
+ * This interceptor runs after AuthGuard and WorkspaceGuard, extracting the authenticated user
+ * and workspace from the request and setting PostgreSQL session variables within a transaction:
+ * - SET LOCAL app.current_user_id = '...'
+ * - SET LOCAL app.current_workspace_id = '...'
+ *
+ * The transaction-scoped Prisma client is then propagated via AsyncLocalStorage, allowing
+ * services to access it via getRlsClient() without explicit dependency injection.
+ *
+ * ## Security Design
+ *
+ * SET LOCAL is used instead of SET to ensure session variables are transaction-scoped.
+ * This is critical for connection pooling safety - without transaction scoping, variables
+ * would leak between requests that reuse the same connection from the pool.
+ *
+ * The entire request handler is executed within the transaction boundary, ensuring all
+ * queries inherit the RLS context.
+ *
+ * ## Usage
+ *
+ * Registered globally as APP_INTERCEPTOR in AppModule (after TelemetryInterceptor).
+ * Services access the RLS client via:
+ *
+ * ```typescript
+ * const client = getRlsClient() ?? this.prisma;
+ * return client.task.findMany(); // Filtered by RLS
+ * ```
+ *
+ * ## Unauthenticated Routes
+ *
+ * Routes without AuthGuard (public endpoints) will not have request.user set.
+ * The interceptor gracefully handles this by skipping RLS context setup.
+ *
+ * @see docs/design/credential-security.md for RLS architecture
+ */
+@Injectable()
+export class RlsContextInterceptor implements NestInterceptor {
+  private readonly logger = new Logger(RlsContextInterceptor.name);
+
+  // Transaction timeout configuration
+  // Longer timeout to support file uploads, complex queries, and bulk operations
+  private readonly TRANSACTION_TIMEOUT_MS = 30000; // 30 seconds
+  private readonly TRANSACTION_MAX_WAIT_MS = 10000; // 10 seconds to acquire connection
+
+  constructor(private readonly prisma: PrismaService) {}
+
+  /**
+   * Intercept HTTP requests and set RLS context if user is authenticated.
+   *
+   * @param context - The execution context
+   * @param next - The next call handler
+   * @returns Observable of the response with RLS context applied
+   */
+  intercept(context: ExecutionContext, next: CallHandler): Observable<unknown> {
+    const request = context.switchToHttp().getRequest<AuthenticatedRequest>();
+    const user = request.user;
+
+    // Skip RLS context setup for unauthenticated requests
+    if (!user?.id) {
+      this.logger.debug("Skipping RLS context: no authenticated user");
+      return next.handle();
+    }
+
+    const userId = user.id;
+    const workspaceId = request.workspace?.id ?? user.workspaceId;
+
+    this.logger.debug(
+      `Setting RLS context: user=${userId}${workspaceId ? `, workspace=${workspaceId}` : ""}`
+    );
+
+    // Execute the entire request within a transaction with RLS context set
+    return new Observable((subscriber) => {
+      this.prisma
+        .$transaction(
+          async (tx) => {
+            // Set user context (always present for authenticated requests)
+            await tx.$executeRaw`SET LOCAL app.current_user_id = ${userId}`;
+
+            // Set workspace context (if present)
+            if (workspaceId) {
+              await tx.$executeRaw`SET LOCAL app.current_workspace_id = ${workspaceId}`;
+            }
+
+            // Propagate the transaction client via AsyncLocalStorage
+            // This allows services to access it via getRlsClient()
+            // Use TransactionClient type to maintain type safety
+            return runWithRlsClient(tx as TransactionClient, () => {
+              return new Promise((resolve, reject) => {
+                next
+                  .handle()
+                  .pipe(
+                    finalize(() => {
+                      this.logger.debug("RLS context cleared");
+                    })
+                  )
+                  .subscribe({
+                    next: (value) => {
+                      subscriber.next(value);
+                      resolve(value);
+                    },
+                    error: (error: unknown) => {
+                      const err = error instanceof Error ? error : new Error(String(error));
+                      subscriber.error(err);
+                      reject(err);
+                    },
+                    complete: () => {
+                      subscriber.complete();
+                      resolve(undefined);
+                    },
+                  });
+              });
+            });
+          },
+          {
+            timeout: this.TRANSACTION_TIMEOUT_MS,
+            maxWait: this.TRANSACTION_MAX_WAIT_MS,
+          }
+        )
+        .catch((error: unknown) => {
+          const err = error instanceof Error ? error : new Error(String(error));
+          this.logger.error(`Failed to set RLS context: ${err.message}`, err.stack);
+          // Sanitize error before sending to client to prevent information disclosure
+          // (schema info, internal variable names, connection details, etc.)
+          subscriber.error(new InternalServerErrorException("Request processing failed"));
+        });
+    });
+  }
+}