feat(supabase): postgrest data-api resolver

[jaylann]

Summary

• Adds SupabasePostgrestResolver (name="supabase_postgrest") — the tabular complement to the auth (feat: supabase auth resolver (auth.users) #56) and storage (feat: supabase storage resolver #57) resolvers: reaches a subject's PII in PostgREST-exposed application tables (/rest/v1/...), driven by an explicit, auditable list of PostgrestTable/PostgrestColumn declarations (no schema discovery).
• Generalizes errors.raise_for_taxonomy with a system= label so the shared taxonomy names the rejecting Supabase surface; auth keeps its exact message.
• Attests an AttestingResolver covered surface built from the declared columns; passes the shared ResolverConformanceSuite; property tests pin no-bleed and idempotent convergence.
• Closes feat: supabase postgrest resolver #70.

Erasure/export semantics

No change to what any existing resolver deletes or exports — this is purely additive (a new resolver, new ref kind supabase_postgrest). MINOR feat:.

New surface introduced by this resolver:

• Export (Art. 15): per declared table, GET /rest/v1/{table}?{subject_column}=eq.{id}&select=... → one ExportRecord per populated declared column, sourced under the table name. Null/missing cells are skipped.
• Erase (Art. 17): per declared table, DELETE /rest/v1/{table}?{subject_column}=eq.{id} with Prefer: return=representation. An empty representation across every declared table ⇒ already_absent=True (PostgREST signals no-match with an empty array, not a 404). The subject id rides httpx params as eq.<id> and is matched literally — a hostile id (/, .., ,, spaces) never widens the filter or targets a sibling stem (pinned by a unit test + property tests).

Adding/recategorising a declared column changes that deployment's export surface; the config list is the auditable record of what the resolver reaches.

Risk

Low. Self-contained new module; no core changes. Empty tables raises ConfigurationError (no degraded mode). Service-role key bypasses RLS — documented server-side-only. Fresh httpx client per call (ADR 0006), no cached loop-bound state. Rollback = revert the commit; nothing else depends on it.

⚠️ CI note: an unrelated, pre-existing failure on stage — test_resurrecting_a_row_deleted_row_flips_verified (a test-helper bug in #128 for composite-FK schemas) — may show red here. Tracked in #140; not caused by this PR (reproduces on stage with none of these changes).

Checklist

• Targets stage (never main)
• PR title is Conventional Commits
• All commits DCO signed-off
• just check and just test green locally (modulo the unrelated test: composite-FK schema falsifies test_resurrecting_a_row_deleted_row_flips_verified #140 failure)
• Tests added — erasure/export paths prove no cross-subject bleed (property + unit)
• Public API has Google-style docstrings
• Manifest format untouched
• type:* + area:* labels set