fix(#411): complete 2026-02-17 remediation sweep

Apply RLS context at task service boundaries, harden orchestrator/web integration and session startup behavior, re-enable targeted frontend tests, and lock vulnerable transitive dependencies so QA and security gates pass cleanly.

apps/api/src/prisma/prisma.service.ts

@@ -3,6 +3,7 @@ import { PrismaClient } from "@prisma/client";
 import { VaultService } from "../vault/vault.service";
 import { createAccountEncryptionExtension } from "./account-encryption.extension";
 import { createLlmEncryptionExtension } from "./llm-encryption.extension";
+import { getRlsClient } from "./rls-context.provider";
 
 /**
  * Prisma service that manages database connection lifecycle
@@ -177,6 +178,13 @@ export class PrismaService extends PrismaClient implements OnModuleInit, OnModul
     workspaceId: string,
     fn: (tx: PrismaClient) => Promise<T>
   ): Promise<T> {
+    const rlsClient = getRlsClient();
+
+    if (rlsClient) {
+      await this.setWorkspaceContext(userId, workspaceId, rlsClient as unknown as PrismaClient);
+      return fn(rlsClient as unknown as PrismaClient);
+    }
+
     return this.$transaction(async (tx) => {
       await this.setWorkspaceContext(userId, workspaceId, tx as PrismaClient);
       return fn(tx as PrismaClient);