feat(server): integrate Better Auth, access control, and deployment mode startup

Wire up Better Auth for session-based authentication. Add actor middleware
that resolves local_trusted mode to an implicit board actor and authenticated
mode to Better Auth sessions. Add access service with membership, permission,
invite, and join-request management. Register access routes for member/invite/
join-request CRUD. Update health endpoint to report deployment mode and
bootstrap status. Enforce tasks:assign and agents:create permissions in issue
and agent routes. Add deployment mode validation at startup with guardrails
(loopback-only for local_trusted, auth config required for authenticated).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/routes/authz.ts

@@ -1,5 +1,5 @@
 import type { Request } from "express";
-import { forbidden } from "../errors.js";
+import { forbidden, unauthorized } from "../errors.js";
 
 export function assertBoard(req: Request) {
   if (req.actor.type !== "board") {
@@ -8,12 +8,24 @@ export function assertBoard(req: Request) {
 }
 
 export function assertCompanyAccess(req: Request, companyId: string) {
+  if (req.actor.type === "none") {
+    throw unauthorized();
+  }
   if (req.actor.type === "agent" && req.actor.companyId !== companyId) {
     throw forbidden("Agent key cannot access another company");
   }
+  if (req.actor.type === "board" && req.actor.source !== "local_implicit" && !req.actor.isInstanceAdmin) {
+    const allowedCompanies = req.actor.companyIds ?? [];
+    if (!allowedCompanies.includes(companyId)) {
+      throw forbidden("User does not have access to this company");
+    }
+  }
 }
 
 export function getActorInfo(req: Request) {
+  if (req.actor.type === "none") {
+    throw unauthorized();
+  }
   if (req.actor.type === "agent") {
     return {
       actorType: "agent" as const,