fix(edge-fn): replace getClaims with adminClient.auth.getUser(token)

fix(edge-fn): use user.id instead of claims.sub; fixes 500s and false cert_required
fix(migrations): drop broad reservations SELECT policy; add reservation_slots view with security_invoker=false
fix(tests): correct weekSlot() keys from start/end to start_time/end_time
fix(tests): spread overlap test slots across separate ISO weeks
fix(tests): update e2e assertion to match actual authenticated home text
fix(app): hide IonMenu before user is authenticated
feat(dx): add test:all script running unit, integration, and e2e in sequence
docs(claude-md): document SELinux fix, Edge Function auth pattern, security_invoker behaviour

supabase/migrations/20260420190000_fix_reservation_slots_view.sql

@@ -0,0 +1,14 @@
+-- The reservation_slots view was created with security_invoker=true, which means
+-- it evaluates RLS as the calling user. After removing the broad select policy,
+-- other members see 0 rows. Switch to security_definer so the view runs as the
+-- owner (bypassing RLS), while still exposing only the safe columns.
+
+drop view if exists public.reservation_slots;
+
+create view public.reservation_slots
+  with (security_invoker = false)
+as
+  select id, boat_id, start_time, end_time, status
+  from public.reservations;
+
+grant select on public.reservation_slots to authenticated;