feat: The Other Dude v9.0.1 — full-featured email system

ci: add GitHub Pages deployment workflow for docs site

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/alembic/versions/022_rls_super_admin_devices.py

@@ -0,0 +1,49 @@
+"""Add super_admin bypass to devices, device_groups, device_tags RLS policies.
+
+Previously these tables only matched tenant_id, so super_admin context
+('super_admin') returned zero rows. Users/tenants tables already had
+the bypass — this brings device tables in line.
+
+Revision ID: 022
+Revises: 021
+Create Date: 2026-03-07
+"""
+
+import sqlalchemy as sa
+from alembic import op
+
+revision = "022"
+down_revision = "021"
+branch_labels = None
+depends_on = None
+
+# Tables that need super_admin bypass added to their RLS policy
+_TABLES = ["devices", "device_groups", "device_tags"]
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+    for table in _TABLES:
+        conn.execute(sa.text(f"DROP POLICY IF EXISTS tenant_isolation ON {table}"))
+        conn.execute(sa.text(f"""
+            CREATE POLICY tenant_isolation ON {table}
+            USING (
+                tenant_id::text = current_setting('app.current_tenant', true)
+                OR current_setting('app.current_tenant', true) = 'super_admin'
+            )
+            WITH CHECK (
+                tenant_id::text = current_setting('app.current_tenant', true)
+                OR current_setting('app.current_tenant', true) = 'super_admin'
+            )
+        """))
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+    for table in _TABLES:
+        conn.execute(sa.text(f"DROP POLICY IF EXISTS tenant_isolation ON {table}"))
+        conn.execute(sa.text(f"""
+            CREATE POLICY tenant_isolation ON {table}
+            USING (tenant_id::text = current_setting('app.current_tenant', true))
+            WITH CHECK (tenant_id::text = current_setting('app.current_tenant', true))
+        """))