Flesh out dd0c/alert: webhook routes, incident API, notification config, data layer

- Webhook routes: Datadog, PagerDuty, OpsGenie, Grafana with per-tenant HMAC/token auth
- Incident API: list (filtered), detail with alerts, acknowledge/resolve/suppress, dashboard summary
- Notification config: CRUD with upsert, test endpoint, Slack/email/webhook channels
- Grafana normalizer: severity mapping (critical/warning/info)
- Data layer: withTenant() RLS wrapper, Zod config validation
- Fastify server entry point with cors/helmet

products/03-alert-intelligence/src/data/db.ts

@@ -0,0 +1,29 @@
+import pg from 'pg';
+import pino from 'pino';
+import { config } from '../config/index.js';
+
+const logger = pino({ name: 'data' });
+
+export const pool = new pg.Pool({ connectionString: config.DATABASE_URL });
+
+/**
+ * RLS tenant isolation wrapper.
+ * Sets `app.tenant_id` for the duration of the callback, then resets.
+ * Prevents connection pool tenant context leakage (BMad must-have).
+ */
+export async function withTenant<T>(tenantId: string, fn: (client: pg.PoolClient) => Promise<T>): Promise<T> {
+  const client = await pool.connect();
+  try {
+    await client.query('BEGIN');
+    await client.query(`SET LOCAL app.tenant_id = '${tenantId}'`);
+    const result = await fn(client);
+    await client.query('COMMIT');
+    return result;
+  } catch (err) {
+    await client.query('ROLLBACK');
+    throw err;
+  } finally {
+    await client.query('RESET app.tenant_id');
+    client.release();
+  }
+}