[recipes] Fix REVIEW-MEDIUM-1: filter restricted thoughts from preview views

Why: ops_recent_thoughts and ops_enrichment_gaps both emit left(content, 180)
as a preview column without filtering on sensitivity_tier. Today the views
are service_role-only, so there is no blast radius -- but the README markets
them as queryable via PostgREST and "your dashboard", which primes a future
maintainer to add GRANT SELECT ... TO authenticated. The moment that happens,
the first 180 chars of every restricted thought flow out through these views.

Add WHERE sensitivity_tier IS DISTINCT FROM 'restricted' to both views. This
matches the convention used by search_thoughts_text(p_exclude_restricted) in
schemas/enhanced-thoughts/schema.sql and costs one clause per view. Cheap
insurance against a future "widen the grants for the dashboard" regression.

Author: alanshurafa

recipes/brain-health-monitoring/ops-views.sql

@@ -43,6 +43,7 @@ SELECT
   enriched,
   left(content, 180) AS preview
 FROM public.thoughts
+WHERE sensitivity_tier IS DISTINCT FROM 'restricted'
 ORDER BY created_at DESC;
 
 -- ============================================================
@@ -60,6 +61,7 @@ SELECT
   left(content, 180) AS preview
 FROM public.thoughts
 WHERE enriched IS NOT TRUE
+  AND sensitivity_tier IS DISTINCT FROM 'restricted'
 ORDER BY created_at DESC;
 
 -- ============================================================