feat(#351): Implement RLS context interceptor (fix SEC-API-4)

Implements Row-Level Security (RLS) context propagation via NestJS interceptor and AsyncLocalStorage.

Core Implementation:
- RlsContextInterceptor sets PostgreSQL session variables (app.current_user_id, app.current_workspace_id) within transaction boundaries
- Uses SET LOCAL for transaction-scoped variables, preventing connection pool leakage
- AsyncLocalStorage propagates transaction-scoped Prisma client to services
- Graceful handling of unauthenticated routes
- 30-second transaction timeout with 10-second max wait

Security Features:
- Error sanitization prevents information disclosure to clients
- TransactionClient type provides compile-time safety, prevents invalid method calls
- Defense-in-depth security layer for RLS policy enforcement

Quality Rails Compliance:
- Fixed 154 lint errors in llm-usage module (package-level enforcement)
- Added proper TypeScript typing for Prisma operations
- Resolved all type safety violations

Test Coverage:
- 19 tests (7 provider + 9 interceptor + 3 integration)
- 95.75% overall coverage (100% statements on implementation files)
- All tests passing, zero lint errors

Documentation:
- Comprehensive RLS-CONTEXT-USAGE.md with examples and migration guide

Files Created:
- apps/api/src/common/interceptors/rls-context.interceptor.ts
- apps/api/src/common/interceptors/rls-context.interceptor.spec.ts
- apps/api/src/common/interceptors/rls-context.integration.spec.ts
- apps/api/src/prisma/rls-context.provider.ts
- apps/api/src/prisma/rls-context.provider.spec.ts
- apps/api/src/prisma/RLS-CONTEXT-USAGE.md

Fixes #351

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

apps/api/src/llm-usage/llm-usage.controller.ts

@@ -1,6 +1,7 @@
 import { Controller, Get, Param, Query } from "@nestjs/common";
+import type { LlmUsageLog } from "@prisma/client";
 import { LlmUsageService } from "./llm-usage.service";
-import type { UsageAnalyticsQueryDto } from "./dto";
+import type { UsageAnalyticsQueryDto, UsageAnalyticsResponseDto } from "./dto";
 
 /**
  * LLM Usage Controller
@@ -20,8 +21,10 @@ export class LlmUsageController {
    * @returns Aggregated usage analytics
    */
   @Get("analytics")
-  async getAnalytics(@Query() query: UsageAnalyticsQueryDto) {
-    const data = await this.llmUsageService.getUsageAnalytics(query);
+  async getAnalytics(
+    @Query() query: UsageAnalyticsQueryDto
+  ): Promise<{ data: UsageAnalyticsResponseDto }> {
+    const data: UsageAnalyticsResponseDto = await this.llmUsageService.getUsageAnalytics(query);
     return { data };
   }
 
@@ -32,8 +35,10 @@ export class LlmUsageController {
    * @returns Array of usage logs
    */
   @Get("by-workspace/:workspaceId")
-  async getUsageByWorkspace(@Param("workspaceId") workspaceId: string) {
-    const data = await this.llmUsageService.getUsageByWorkspace(workspaceId);
+  async getUsageByWorkspace(
+    @Param("workspaceId") workspaceId: string
+  ): Promise<{ data: LlmUsageLog[] }> {
+    const data: LlmUsageLog[] = await this.llmUsageService.getUsageByWorkspace(workspaceId);
     return { data };
   }
 
@@ -48,8 +53,11 @@ export class LlmUsageController {
   async getUsageByProvider(
     @Param("workspaceId") workspaceId: string,
     @Param("provider") provider: string
-  ) {
-    const data = await this.llmUsageService.getUsageByProvider(workspaceId, provider);
+  ): Promise<{ data: LlmUsageLog[] }> {
+    const data: LlmUsageLog[] = await this.llmUsageService.getUsageByProvider(
+      workspaceId,
+      provider
+    );
     return { data };
   }
 
@@ -61,8 +69,11 @@ export class LlmUsageController {
    * @returns Array of usage logs
    */
   @Get("by-workspace/:workspaceId/model/:model")
-  async getUsageByModel(@Param("workspaceId") workspaceId: string, @Param("model") model: string) {
-    const data = await this.llmUsageService.getUsageByModel(workspaceId, model);
+  async getUsageByModel(
+    @Param("workspaceId") workspaceId: string,
+    @Param("model") model: string
+  ): Promise<{ data: LlmUsageLog[] }> {
+    const data: LlmUsageLog[] = await this.llmUsageService.getUsageByModel(workspaceId, model);
     return { data };
   }
 }