fix(m12): user can answer idea-questions — inline + bell support

Two gaps discovered during the first live grill-session of IDEA-002:
the agent posted a question, but the user had no UI to answer it.
1. Idea-questions only appeared on the Timeline-tab as read-only entries
2. Notifications-bell fetched + handled story-questions only

This fix:

**Inline answer-form in IdeaTimeline** (components/ideas/idea-timeline.tsx)
- Open questions now render an AnswerForm directly under the question text
- Multi-choice options become clickable buttons (one-click submit); free-text
  fallback via collapsed details/textarea
- Plain free-text questions render textarea + Verzend
- Calls existing answerQuestion server-action; toast + router.refresh on success

**Notifications-bell extended for idea-questions**
- stores/notifications-store.ts: NotificationQuestion → discriminated union
  (kind: 'story' | 'idea'); forYouCount treats idea-questions as always-for-you
  (idea is strictly user_id-only — only the owner sees them)
- components/notifications/notifications-bridge.tsx: parallel fetch of
  story-questions (productAccessFilter) + idea-questions (idea.user_id ===
  session.userId); merged + sorted by created_at
- components/notifications/notifications-sheet.tsx: renders idea_code/title
  for kind='idea'
- components/notifications/answer-modal.tsx: header + open-link branch on
  kind (idea → /ideas/[id]?tab=timeline; story → existing /sprint link)
- lib/realtime/use-notifications-realtime.ts: idea-question events also
  trigger close+reconnect on 'open' (loads fresh detail) and remove(id) on
  non-open — same pattern story-questions already use
- components/shared/notifications-bell.tsx: badge counts idea-questions as
  for-you regardless of assignee

**Security gap closed (actions/questions.ts answerQuestion)**
Before: accepted any answer if user has product-access.
After: idea-questions require idea.user_id === session.userId; story-
questions keep the existing productAccessFilter path. (Prisma 7 rejects
\`{ not: null }\` in WHERE; routing happens app-level after a single fetch.)

Tests: 546/546 still green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

actions/questions.ts

@@ -37,18 +37,43 @@ export async function answerQuestion(
     return { ok: false, error: first }
   }
 
-  // Access-check: gebruiker moet toegang hebben tot het product van de vraag.
-  // Iedereen met product-membership mag antwoorden — niet alleen de story-
-  // assignee — consistent met Scrum self-organizing.
+  // Access-check (M12-aware):
+  // - Story-questions: iedereen met product-membership mag antwoorden
+  //   (consistent met Scrum self-organizing).
+  // - Idea-questions: strikt user_id-only — alleen de eigenaar van het
+  //   gekoppelde idee mag antwoorden (M12 grill-keuze 8).
+  // App-level routing omdat Prisma 7 `{ not: null }` filters in WHERE niet
+  // accepteert; we fetchen de relevante FK-keys en checken in TS.
   const question = await prisma.claudeQuestion.findFirst({
-    where: {
-      id: parsed.data.questionId,
-      product: productAccessFilter(session.userId),
+    where: { id: parsed.data.questionId },
+    select: {
+      id: true,
+      story_id: true,
+      idea_id: true,
+      product_id: true,
+      idea: { select: { user_id: true } },
     },
-    select: { id: true },
   })
   if (!question) return { ok: false, error: 'Vraag niet gevonden of geen toegang' }
 
+  if (question.idea_id) {
+    // Idea-question: alleen idea-eigenaar.
+    if (question.idea?.user_id !== session.userId) {
+      return { ok: false, error: 'Vraag niet gevonden of geen toegang' }
+    }
+  } else if (question.story_id) {
+    // Story-question: bestaand product-access-pad.
+    const productAccess = await prisma.product.findFirst({
+      where: { id: question.product_id, ...productAccessFilter(session.userId) },
+      select: { id: true },
+    })
+    if (!productAccess) {
+      return { ok: false, error: 'Vraag niet gevonden of geen toegang' }
+    }
+  } else {
+    return { ok: false, error: 'Vraag heeft geen story of idea' }
+  }
+
   // Atomic state-transitie: alleen open + niet-verlopen vragen worden beantwoord.
   // Concurrent dubbele submit: PostgreSQL row-locking laat één caller count=1
   // zien, de rest count=0 → disambiguatie hieronder.