fix: port orphan migration, add security model doc, and pool write scope tests

[Ejere]

Summary

• [Backend] Orphan SQL migration in src/db/migrations is never executed, so idx_loan_events_type_created_at is never created #1194 — Port the orphan src/db/migrations/1700000000000_add-loan-events-type-index.sql into a real backend/migrations/1795000000000_loan-events-type-index.js node-pg-migrate file so the idx_loan_events_type_created_at index is actually applied. Deleted the orphan SQL file and its now-empty directory. Added a _migrations_note in package.json documenting backend/migrations/ as the single source of truth.
• [Docs] No auth/security-model reference: roles to scopes (rbac.ts), API-key scope namespaces (auth.ts), JWT claims, and cookie auth are undocumented #1186 — Added docs/SECURITY-MODEL.md covering the challenge-signature-JWT flow, role-to-scope table, API-key scope namespaces, cookie attributes, and a per-route-group authorization map. Linked from SECURITY.md and backend/README.md.
• [Testing] No integration test asserts a lender (non-admin) JWT can call the pool write endpoints, so the missing write:pool scope grant ships uncaught #1179 — Added backend/src/__tests__/poolRouteScopes.test.ts with route-layer integration tests asserting lender JWT → 403 on all four pool write routes (missing write:pool), borrower JWT → 403, and no token → 401.

Test plan

• npm run migrate:up applies the new 1795000000000 migration and creates idx_loan_events_type_created_at
• npm test -- --testPathPattern poolRouteScopes passes (lender/borrower 403, unauthenticated 401)
• docs/SECURITY-MODEL.md renders correctly on GitHub

closes #1194
closes #1186
closes #1179