fix(db): scope invite codes to studies

[mohiuddinshahrukh]

Description

Invite-code validation could rely on invite_code alone, so enrollment could reference an invite code without the database also enforcing that the code belongs to the same study.

Changes

• Scope app invite lookup by both code and study_id
• Add composite unique constraint on study_invite (study_id, code)
• Replace study_subject.invite_code foreign key with composite (study_id, invite_code) foreign key
• Add public.is_invite_code_for_study(uuid, text) as a SECURITY DEFINER helper
• Update restrictive insert policy on study_subject to validate (study_id, invite_code)
• Revoke function execution from public and anon
• Mirror DB changes in database/studyu-schema.sql

Testing

• flutter analyze in app
• flutter analyze in designer_v2
• git diff --check
• Frontend invite-code flow:
  • invalid code rejected
  • valid code accepted
• Applied migration to local Supabase
• Transaction-only DB test as postgres:
  • valid (study_id, invite_code) accepted
  • mismatched pair rejected
  • rolled back
• Authenticated/RLS-level DB test:
  • valid pair accepted under authenticated
  • mismatched pair rejected by policy

[github-actions]

Visit the preview URL for this PR (updated for commit 76cadfa):

• https://studyu-dev-app--pr831-fix-cross-study-invi-pdypwrn5.web.app
• https://studyu-dev-designer--pr831-fix-cross-study-invi-xwonnf3k.web.app

_{(expires Sat, 23 May 2026 12:34:47 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 2149dad49ed83535217e50d5c18c0c8c90da629b}