docs: update CHANGELOG with tenant isolation Phase 1 and recent fixes

Added comprehensive documentation of Tenant Isolation Phase 1 including RLS implementation,
database role separation, admin database isolation, account_id backfill, and global content
separation. Also documented recent bug fixes including non-default tree handling.

https://claude.ai/code/session_01CwER1BcCEGkdUNLRR3fqc6

CHANGELOG.md

@@ -9,6 +9,7 @@ All notable changes to ResolutionFlow are documented here.
 - Recurring Issue Detection — client-specific pattern alerts (#60)
 - Step Feedback Flag — "This Step is Wrong" reporting (#58)
 - **Tenant Isolation Phase 0** — multi-tenant data isolation (#132) with app-layer filtering helpers (`tenant_filter()`, `get_tenant_context`), cross-tenant access audit (analytics, categories, AI sessions, trees), UUID endpoint isolation with 404 responses for unauthorized access, ownership checks on all sensitive operations, and CI grep gate for missing tenant filters
+- **Tenant Isolation Phase 1** — PostgreSQL Row-Level Security (RLS) enforcement across all core tables (trees, tags, categories, psa_connections, flow_proposals) with database role separation (`resolutionflow_app` for user operations, `resolutionflow_admin` with BYPASSRLS for admin endpoints), admin database engine isolation, tenant context via `ContextVar` with automatic transaction-scoped enforcement, `account_id` column backfill on 35+ tables (sessions, AI branching, PSA, notifications, scripts, targets, folders), global content separation via platform account, fresh-DB migration order fixes
 - **Script Library default view** — "All Scripts" tab now displays all accessible scripts (team + library)
 - **Session documentation overhaul** — reformatted PSA resolution/escalation notes with cleaner headers, inline engineer responses, decimal hour display (0.25 hrs), follow-up recommendations, and improved "What We Know" section from evidence items
 - **Client communication improvements** — new `request_info` audience type for client-facing information requests, improved status update and email draft prompts with per-context guidance
@@ -23,6 +24,7 @@ All notable changes to ResolutionFlow are documented here.
 - **Assistant Chat session actions** — moved Pause/Resume/Close actions from action bar to page header for consistency with FlowPilot
 - **Design system token normalization** — unified FlowPilot, AssistantChat, and ScriptBuilder components to use consistent design tokens
 - **Tenant data boundaries** — all session and tree endpoints now return 404 (not 403) for cross-tenant access attempts to avoid confirming resource existence
+- **Admin database routing** — privileged operations (analytics, user management) now bypass RLS via dedicated admin engine
 
 ### Fixed
 - **CRITICAL: Copilot tree query isolation** (#131) — user could access any tree UUID if known, exposing full tree structure to AI. Now scoped to current account with 404 for inaccessible trees.
@@ -41,6 +43,7 @@ All notable changes to ResolutionFlow are documented here.
 - Task Lane stale data when creating new chat or resuming from concluded session
 - Chat ref invalidation race condition between handleNewChat and async data loads
 - Images now properly display in chat message history instead of blank placeholders
+- Non-default, no-team trees now properly handled in global content migration
 
 ---