feat(MAT-107): memory encryption & user isolation

- Per-user Fernet encryption for fact/chunk_text/summary fields
- Postgres RLS with memory_app restricted role
- SSL for memory-db connections
- Data migration script (migrate_encrypt.py)
- DB migration (migrate_rls.sql)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docker-compose.yml

@@ -37,6 +37,13 @@ services:
       POSTGRES_DB: memories
     volumes:
       - memory-pgdata:/var/lib/postgresql/data
+      - ./memory-db-ssl/server.crt:/var/lib/postgresql/server.crt:ro
+      - ./memory-db-ssl/server.key:/var/lib/postgresql/server.key:ro
+    command: >
+      postgres
+        -c ssl=on
+        -c ssl_cert_file=/var/lib/postgresql/server.crt
+        -c ssl_key_file=/var/lib/postgresql/server.key
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U memory -d memories"]
       interval: 5s
@@ -47,7 +54,9 @@ services:
     build: ./memory-service
     restart: unless-stopped
     environment:
-      DATABASE_URL: postgresql://memory:${MEMORY_DB_PASSWORD:-memory}@memory-db:5432/memories
+      DATABASE_URL: postgresql://memory_app:${MEMORY_APP_PASSWORD}@memory-db:5432/memories?sslmode=require
+      MEMORY_ENCRYPTION_KEY: ${MEMORY_ENCRYPTION_KEY}
+      MEMORY_DB_OWNER_PASSWORD: ${MEMORY_DB_PASSWORD:-memory}
       LITELLM_BASE_URL: ${LITELLM_BASE_URL}
       LITELLM_API_KEY: ${LITELLM_MASTER_KEY}
       EMBED_MODEL: ${EMBED_MODEL:-text-embedding-3-small}