fix: enable RLS for failed webhook events

[saurabhhhcodes]

Summary

• enables Row Level Security on failed_webhook_events
• intentionally adds no public policies so anon/authenticated clients are blocked by default
• keeps service-role retry/dead-letter workflows working, since service role bypasses RLS

Validation

• git diff --check
• inspected existing migration and service-role-only usages in webhook retry/process flows

Fixes #161

For GSSoC scoring, please add/keep GSSOC26, level:intermediate, and type:security.

[vercel]

Someone is attempting to deploy a commit to the codersogs-3057's projects Team on Vercel.

A member of the Team first needs to authorize it.

[github-actions]

Hey @saurabhhhcodes

You have 4 open PRs right now. The limit is 3 at a time.

Please get your existing PRs merged or closed before opening new ones:

• Add manual mentor PR verification #140 - Add manual mentor PR verification
• fix(issues): match repo filter case-insensitively #137 - fix(issues): match repo filter case-insensitively
• feat(xp): add suspicious XP flag audit #136 - feat(xp): add suspicious XP flag audit

This PR will remain open but won't be reviewed until you're under the limit. See our Contributing Guidelines for details.

[saurabhhhcodes]

Closing this in favor of #177, which carries the same RLS fix with a safer rerunnable migration plus a regression test. That should also bring me back within the repo open-PR limit so the newer PR can be reviewed cleanly. Thanks!