feat(drift): add noisy neighbor protection, RBAC forgery prevention, remediation locks

- Fair-share tenant processing: weighted round-robin, per-tenant queue depth tracking
- API key → stack ownership validation on all ingestion routes
- Enhanced replay attack prevention (timestamp + nonce + report_id dedup)
- Remediation lock: Redis-based mutex prevents scan/remediation race conditions
- Reports during active remediation tagged and excluded from scoring
- 006_noisy_neighbor.sql migration

products/02-iac-drift-detection/saas/migrations/006_noisy_neighbor.sql

@@ -0,0 +1,29 @@
+-- 006: Noisy neighbor protection, remediation locks, fair-share processing
+
+-- Add during_remediation flag to drift_reports
+ALTER TABLE drift_reports ADD COLUMN IF NOT EXISTS during_remediation BOOLEAN NOT NULL DEFAULT false;
+
+-- Add processing_priority to stacks (tracked via drift_reports for now)
+-- We use a dedicated lightweight table so we can set priority per-stack without a full stacks table
+CREATE TABLE IF NOT EXISTS stack_settings (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
+    stack_name TEXT NOT NULL,
+    processing_priority TEXT NOT NULL DEFAULT 'normal' CHECK (processing_priority IN ('low', 'normal', 'high')),
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE(tenant_id, stack_name)
+);
+
+ALTER TABLE stack_settings ENABLE ROW LEVEL SECURITY;
+CREATE POLICY tenant_iso_stack_settings ON stack_settings
+    USING (tenant_id::text = current_setting('app.tenant_id', true));
+
+-- Index for fair-share queue queries: find reports per tenant ordered by time
+CREATE INDEX IF NOT EXISTS idx_drift_reports_tenant_created
+    ON drift_reports(tenant_id, created_at);
+
+-- Index for remediation lock lookups
+CREATE INDEX IF NOT EXISTS idx_remediations_active
+    ON remediations(tenant_id, stack_name, status)
+    WHERE status IN ('pending', 'in_progress');