Harden collection RLS policies

[zaixincheng174-ai]

Proposed Changes

This addresses part of the RLS/security bounty scope in #100.

• Enable row-level security for collections and collection_books.
• Allow public reads only for published public-catalog collections: is_published = TRUE AND organization_id IS NULL.
• Allow curators to read and manage only their own collection rows via curator_user_id = current_auth_uid().
• Gate collection_books reads/writes through the parent collection ownership/publication policy so unpublished curator drafts and organization-scoped B2B collections are not directly readable through Supabase client roles.

Security Impact

collections already models curator-owned drafts and organization-scoped B2B rows through curator_user_id, is_published, and organization_id, but it did not have RLS enabled. collection_books can also expose the contents and notes of those collections. This keeps direct anon/authenticated access closed unless the row is explicitly a published public-catalog collection or belongs to the current curator.

Proof

Before this PR, database/schema.sql enabled RLS for users/library/annotations/sessions/subscriptions/donations, but not collections or collection_books. This PR adds both ALTER TABLE ... ENABLE ROW LEVEL SECURITY lines and explicit SELECT/INSERT/UPDATE/DELETE policies.

Validated locally:

• git diff --check
• Inspected policy lines in database/schema.sql after the patch

Unable to run a live schema apply locally because this environment does not have docker or psql installed.

Checklist

• PR created against main
• RLS/security change scoped to one SQL file
• No secrets or payment data included
• Proof/validation included

/claim #100