I will implement **Phase 2: Realtime & Storage Enhancements**, specifically focusing on **Signed URLs** for Storage and **Resume Support** for Realtime.

### 1. Storage: Signed URLs
I will implement a mechanism to generate and verify time-limited access tokens for private objects.

-   **`storage/src/handlers.rs`**:
    -   Add `sign_object` handler (`POST /object/sign/:bucket/:wildcard`):
        -   Checks user permissions via RLS.
        -   Generates a JWT containing `bucket`, `key`, and expiration.
        -   Returns a signed URL.
    -   Add `get_signed_object` handler (`GET /object/sign/:bucket/:wildcard`):
        -   Validates the token from the query string.
        -   Bypasses RLS (since token proves prior auth) and streams the file from S3.
-   **`storage/src/lib.rs`**: Register the new endpoints.
-   **Tests**: Add integration tests to verify signed URL generation and access.

### 2. Realtime: Resume Support
I will leverage the existing `madbase_realtime.messages` table to allow clients to catch up on missed events.

-   **`realtime/src/ws.rs`**:
    -   Update the `phx_join` handler to accept a `last_event_id` in the payload.
    -   If provided, query `madbase_realtime.messages` for events occurring after that ID matching the topic.
    -   Send these missed events to the client immediately upon joining.
-   **Tests**: Add integration tests to verify that a client reconnecting with a `last_event_id` receives missed messages.

*Note: Full replacement of `LISTEN/NOTIFY` with `pgoutput` is deferred to a later step within Phase 2 due to its complexity, but Resume Support is a critical prerequisite for reliability.*