fix(provisioning): prevent search_path pool contamination via SET LOCAL + RESET

- Change SET search_path to SET LOCAL in tenant schema template (002)
  so it reverts on COMMIT and doesn't contaminate the connection pool
- Add RESET search_path before queryRunner.release() as defensive measure
- Add ALTER TABLE public.tenants admin_email DROP NOT NULL to migration 007
  to sync the direct server change back to source

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

packages/shared/database/src/migrations/002-create-tenant-schema-template.sql

@@ -3,7 +3,7 @@
 
 CREATE SCHEMA IF NOT EXISTS it0_t_{TENANT_ID};
 
-SET search_path TO it0_t_{TENANT_ID};
+SET LOCAL search_path TO it0_t_{TENANT_ID};
 
 -- Agent Sessions
 CREATE TABLE agent_sessions (

packages/shared/database/src/migrations/007-add-phone-to-users.sql

@@ -1,5 +1,10 @@
 -- Add phone field to users tables (public schema + all tenant schemas)
 -- phone is nullable, unique when present
+-- Also make tenants.admin_email nullable (phone-only registrations have no email)
+
+-- 0. Make tenants.admin_email nullable
+ALTER TABLE public.tenants
+  ALTER COLUMN admin_email DROP NOT NULL;
 
 -- 1. Public schema users table (auth-service managed, platform admins & default tenant)
 ALTER TABLE public.users

packages/shared/database/src/tenant-provisioning.service.ts

@@ -44,9 +44,12 @@ export class TenantProvisioningService {
       }
 
       await queryRunner.commitTransaction();
+      // Reset search_path to prevent connection pool contamination
+      await queryRunner.query('RESET search_path');
       this.logger.log(`Tenant schema ${schemaName} provisioned successfully.`);
     } catch (err) {
       await queryRunner.rollbackTransaction();
+      await queryRunner.query('RESET search_path').catch(() => {});
       this.logger.error(`Failed to provision tenant ${tenantId}:`, err);
       throw err;
     } finally {