Integrate Access Scope with Supabase RLS JWT

Create an AuthSessionCoordinator class that is initialized at app startup (Riverpod app-level provider) and owns the wiring between auth, scope, and RLS. It listens to three streams: Supabase auth state changes (sign in/out), UnitAssignmentService.assignmentChangedStream, and a periodic token refresh timer (every 45 minutes as a safety net). On sign-in: await AccessScopeService.computeScope() then await RlsPolicyManager.refreshSessionClaims(). On AssignmentChanged: call both in sequence.

On sign-out: call AccessScopeService.clearCache() and RlsPolicyManager.clearCache(). The coordination between task-009 and task-006 is exactly this class — do not scatter the wiring across multiple widgets or BLoCs. For the retry-on-failure behavior, use an exponential backoff with a max of 3 retries before surfacing the warning. The Supabase Edge Function (update-jwt-claims) called by RlsPolicyManager should accept a trigger_type parameter ('login' | 'assignment_change') for server-side logging and audit purposes.

This is especially important for GDPR compliance given that scope changes affect what personal data (contacts, activities) is accessible.

Integration tests against a local Supabase instance with real RLS policies active: (1) login as coordinator assigned to unit-A → query activities filtered to unit-B → assert empty result; (2) login as national admin → query all activities → assert all returned; (3) trigger assignment change → assert JWT refreshed within 2s → query new unit data → assert visible. Unit tests for the wiring layer: mock AccessScopeService and RlsPolicyManager, assert refreshSessionClaims is called on login and on AssignmentChanged. Test retry logic for claim refresh failure. Use flutter_test and integration_test package.

Security regression test: hardcode a JWT with fabricated unit_ids claim and attempt a direct Supabase query — assert RLS blocks it (proves server-side enforcement).