feat(backend): add PostgreSQL schema, RLS policies, and multi-tenant middleware

- Add EF Core migrations for initial schema (clubs, members, work_items, shifts, shift_signups)
- Implement RLS policies with SET LOCAL for tenant isolation
- Add Finbuckle multi-tenant middleware with ClaimStrategy + HeaderStrategy fallback
- Create TenantValidationMiddleware to enforce JWT claims match X-Tenant-Id header
- Add tenant-aware DB interceptors (SaveChangesTenantInterceptor, TenantDbConnectionInterceptor)
- Configure AppDbContext with tenant scoping and RLS support
- Add test infrastructure: CustomWebApplicationFactory, TestAuthHandler, DatabaseFixture
- Write TDD integration tests for multi-tenant isolation and RLS enforcement
- Add health check null safety for connection string

Tasks: 7 (PostgreSQL schema + migrations + RLS), 8 (Finbuckle multi-tenancy + validation), 12 (test infrastructure)

backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs

@@ -0,0 +1,61 @@
+using System.Text.Json;
+
+namespace WorkClub.Api.Middleware;
+
+public class TenantValidationMiddleware
+{
+    private readonly RequestDelegate _next;
+
+    public TenantValidationMiddleware(RequestDelegate next)
+    {
+        _next = next;
+    }
+
+    public async Task InvokeAsync(HttpContext context)
+    {
+        if (!context.User.Identity?.IsAuthenticated ?? true)
+        {
+            await _next(context);
+            return;
+        }
+
+        if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) || 
+            string.IsNullOrWhiteSpace(tenantIdHeader))
+        {
+            context.Response.StatusCode = StatusCodes.Status400BadRequest;
+            await context.Response.WriteAsJsonAsync(new { error = "X-Tenant-Id header is required" });
+            return;
+        }
+
+        var requestedTenantId = tenantIdHeader.ToString();
+        var clubsClaim = context.User.FindFirst("clubs")?.Value;
+
+        if (string.IsNullOrEmpty(clubsClaim))
+        {
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+            await context.Response.WriteAsJsonAsync(new { error = "User does not have clubs claim" });
+            return;
+        }
+
+        Dictionary<string, string>? clubsDict;
+        try
+        {
+            clubsDict = JsonSerializer.Deserialize<Dictionary<string, string>>(clubsClaim);
+        }
+        catch (JsonException)
+        {
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+            await context.Response.WriteAsJsonAsync(new { error = "Invalid clubs claim format" });
+            return;
+        }
+
+        if (clubsDict == null || !clubsDict.ContainsKey(requestedTenantId))
+        {
+            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+            await context.Response.WriteAsJsonAsync(new { error = $"User is not a member of tenant {requestedTenantId}" });
+            return;
+        }
+
+        await _next(context);
+    }
+}

backend/WorkClub.Api/Program.cs

@@ -51,8 +51,16 @@ builder.Services.AddAuthorizationBuilder()
 builder.Services.AddDbContext<AppDbContext>(options =>
     options.UseNpgsql(builder.Configuration.GetConnectionString("DefaultConnection")));
 
-builder.Services.AddHealthChecks()
-    .AddNpgSql(builder.Configuration.GetConnectionString("DefaultConnection")!);
+var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
+if (!string.IsNullOrEmpty(connectionString))
+{
+    builder.Services.AddHealthChecks()
+        .AddNpgSql(connectionString);
+}
+else
+{
+    builder.Services.AddHealthChecks();
+}
 
 var app = builder.Build();
 

backend/WorkClub.Api/WorkClub.Api.csproj

@@ -13,6 +13,11 @@
     <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.0" />
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.0" />
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.3" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.3">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="10.0.3" />
   </ItemGroup>
 
   <ItemGroup>