fix: add Alembic migrations step + RLS env vars to CI

- Run alembic upgrade head before tests so DB roles and RLS policies exist
- Set TEST_DB_NAME=resolutionflow_test so test_rls_isolation.py connects to
  the correct database (was defaulting to patherly_test which doesn't exist in CI)
- Set DB_APP_ROLE_PASSWORD so create_db_roles migration creates resolutionflow_app
  with a known password that the RLS isolation tests can connect with

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/ci.yml

@@ -31,6 +31,8 @@ jobs:
       SECRET_KEY: ci-test-secret-key-not-for-production
       DEBUG: "true"
       APP_NAME: ResolutionFlow
+      TEST_DB_NAME: resolutionflow_test
+      DB_APP_ROLE_PASSWORD: app_secret_ci
 
     steps:
       - uses: actions/checkout@v5
@@ -47,6 +49,9 @@ jobs:
       - name: Install dependencies
         run: pip install -r backend/requirements.txt -r backend/requirements-dev.txt
 
+      - name: Run Alembic migrations
+        run: cd backend && alembic upgrade head
+
       - name: Check tenant filter enforcement
         run: cd backend && python scripts/check_tenant_filters.py
         # Warn mode only (exits 0). Switch to --fail after Phase 1 backlog clears.