feat: replace mock agency detail flows and add schema isolation tests

Author: brianfunk

docs/plan/M01-schema-and-contract-reconciliation.md

@@ -26,8 +26,8 @@ Align database schema/RPC contracts with application code expectations.
 
 ## Acceptance criteria
 
-- [ ] Frontend no longer references non-existent schema objects.
-- [ ] Core RPC calls resolve at runtime.
+- [x] Frontend no longer references non-existent schema objects.
+- [x] Core RPC calls resolve at runtime.
 - [ ] Migration applies cleanly on a fresh database.
 
 ## Risks/blockers
@@ -50,3 +50,5 @@ Align database schema/RPC contracts with application code expectations.
 - 2026-02-11: Added follow-up migration `20260211000300_api_rate_limiting.sql` for reusable API route throttling primitives (`api_rate_limits`, `check_api_rate_limit`).
 - 2026-02-11: Added follow-up migration `20260211000400_agency_rls_reconciliation.sql` to align dockets/comments/legacy attachments RLS with agency membership and platform role model.
 - 2026-02-11: Added follow-up migration `20260211000500_security_audit_and_abuse_events.sql` to introduce immutable audit trails and abuse-event telemetry primitives.
+- 2026-02-11: Added automated contract test `tests/schema-contracts.test.js` validating all `.from()` and `.rpc()` references in app/edge code map to objects defined by migrations.
+- 2026-02-11: Attempted fresh local migration validation with `supabase db reset --local --yes`; blocked because Docker daemon is unavailable in current environment.

docs/plan/M02-auth-rbac-and-multi-tenancy.md

@@ -18,7 +18,7 @@ Implement real agency membership and permission checks with tenant isolation.
 - [x] Update agency context to load memberships from `agency_members`.
 - [x] Update permissions hook to use real memberships.
 - [x] Ensure platform roles are loaded from `platform_roles`.
-- [ ] Add tests for tenant isolation assumptions.
+- [x] Add tests for tenant isolation assumptions.
 
 ## Acceptance criteria
 
@@ -39,3 +39,4 @@ Implement real agency membership and permission checks with tenant isolation.
 - 2026-02-11: Replaced mocked agency context loading with real membership queries from `agency_members` joined to `agencies`.
 - 2026-02-11: Updated permission hook to derive role/capabilities from real membership records with legacy fallback behavior only when needed.
 - 2026-02-11: Updated auth context bootstrapping to load `platform_roles` during session initialization.
+- 2026-02-11: Added `tests/tenant-isolation-policies.test.js` to verify RLS enablement and tenant predicates exist across agency-scoped tables.

docs/plan/M03-agency-operations.md

@@ -41,3 +41,5 @@ Replace mock agency workflows with real data operations.
 - 2026-02-11: Replaced mock data in `src/pages/agency/DocketList.tsx` with real Supabase queries scoped to current agency membership.
 - 2026-02-11: Implemented real docket creation in `src/pages/agency/DocketWizard.tsx` including identity-mode, moderation/captcha settings, and best-effort supporting document persistence.
 - 2026-02-11: Updated moderation logic to canonical comment statuses (`under_review`/`published`) with compatibility mapping for legacy values and persisted moderation logging.
+- 2026-02-11: Replaced mock agency dashboard data in `src/pages/agency/AgencyDashboard.tsx` with real agency analytics, moderation queue, and docket summary queries.
+- 2026-02-11: Replaced mock docket detail workflow in `src/pages/agency/DocketDetail.tsx` with real Supabase reads/writes, moderation actions, supporting-document retrieval, and audit/moderation activity history.