auth-bundle-1 Phase 12 follow-up: in-tree TODO for path-12 deferral

Self-audit on cbb47aa flagged that the negative-path-#12 deferral
(scope_id for nonexistent resource → 404) was acknowledged in the
commit message but not in the source. A future operator scanning
internal/repository/postgres/auth.go would not learn about the
gap.

Adds an explicit TODO(bundle-2) comment next to RoleRepository.AddPermission
documenting:
  - what's missing today (no FK between role_permissions.scope_id
    and the resource tables);
  - why the gate still works at request time (no rows match the
    bogus scope so EffectivePermissions returns empty);
  - the cleaner end-state (HTTP 404 at grant time);
  - what's required to land it (migration confirming existing
    rows reference real resources);
  - the cross-reference to cowork/auth-bundle-1-prompt.md path #12.

Cosmetic, single-file change. No test churn.

internal/repository/postgres/auth.go

@@ -217,6 +217,17 @@ func (r *RoleRepository) ListPermissions(ctx context.Context, roleID string) ([]
 }
 
 func (r *RoleRepository) AddPermission(ctx context.Context, g *authdomain.RolePermission) error {
+	// TODO(bundle-2): Bundle 1 Phase 12 deferral — scope_id is NOT
+	// currently FK-constrained against the resource tables
+	// (certificate_profiles, issuers). This means an operator can
+	// grant a permission at scope_type=profile / scope_id=p-bogus
+	// without the bogus profile existing; the gate still works
+	// (no permission rows match the bogus scope at request time)
+	// but a strict 404 on grant would be cleaner. Adding the FK
+	// requires a migration that confirms every existing
+	// role_permissions row references a real resource and is
+	// tracked as Bundle 2 work. See
+	// cowork/auth-bundle-1-prompt.md negative-test path #12.
 	var scopeID interface{}
 	if g.ScopeID != nil {
 		scopeID = *g.ScopeID