Close PostgreSQL clients in roles and one-time org notifications

[pmjnt]

Hi, I found and patched a small connection lifecycle issue in two backend paths.

Patch branch:
https://github.com/pmjnt/capgo/tree/codex/capgo-audit-next

Commit:
pmjnt@164d8366d

Summary:

• sendNotifToOrgMembersOnce() creates a dedicated getPgClient(c) write client for one-time org notification claim checks and recipient discovery, but several early returns did not close that pool.
• supabase/functions/_backend/private/roles.ts creates pg clients for both roles list endpoints without a finally close.
• The patch wraps the one-time notification path in try/finally, calls closeClient(c, writePgClient), and adds finally cleanup for both private roles endpoints.
• The unit test now asserts the notification write client is released on early return paths.

Why it matters:
Repeated one-time notification sends or /private/roles requests can leave PostgreSQL pools open longer than intended, which can increase connection pressure in cron/admin/RBAC flows.

Verification:

node_modules/.bin/vitest.exe run tests/org-email-notifications-send-once.unit.test.ts tests/private-rbac-auth-order.unit.test.ts
node_modules/.bin/eslint.exe supabase/functions/_backend/utils/org_email_notifications.ts supabase/functions/_backend/private/roles.ts tests/org-email-notifications-send-once.unit.test.ts
git diff --check

I tried opening a PR from the fork, but GitHub returned:
pmjnt does not have the correct permissions to execute CreatePullRequest.

[pmjnt]

I have the patch ready here:
pmjnt@164d8366d

GitHub is currently blocking PR creation from my fork with CreatePullRequest, so I cannot open the PR directly from this branch:
https://github.com/pmjnt/capgo/tree/codex/capgo-audit-next

Tests/lint passed locally. Could you either cherry-pick the commit or advise another branch/PR path I should use?