Implement local agent JWT authentication for adapters

Add HS256 JWT-based authentication for local adapters (claude_local, codex_local)
so agents authenticate automatically without manual API key configuration. The
server mints short-lived JWTs per heartbeat run and injects them as PAPERCLIP_API_KEY.
The auth middleware verifies JWTs alongside existing static API keys.

Includes: CLI onboard/doctor JWT secret management, env command for deployment,
config path resolution from ancestor directories, dotenv loading on server startup,
event payload secret redaction, multi-status issue filtering, and adapter transcript
parsing for thinking/user message kinds.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/config.ts

@@ -1,4 +1,12 @@
 import { readConfigFile } from "./config-file.js";
+import { existsSync } from "node:fs";
+import { config as loadDotenv } from "dotenv";
+import { resolvePaperclipEnvPath } from "./paths.js";
+
+const PAPERCLIP_ENV_FILE_PATH = resolvePaperclipEnvPath();
+if (existsSync(PAPERCLIP_ENV_FILE_PATH)) {
+  loadDotenv({ path: PAPERCLIP_ENV_FILE_PATH, override: false, quiet: true });
+}
 
 type DatabaseMode = "embedded-postgres" | "postgres";
 
@@ -33,7 +41,7 @@ export function loadConfig(): Config {
     serveUi:
       process.env.SERVE_UI !== undefined
         ? process.env.SERVE_UI === "true"
-        : fileConfig?.server.serveUi ?? false,
+        : fileConfig?.server.serveUi ?? true,
     uiDevMiddleware: process.env.PAPERCLIP_UI_DEV_MIDDLEWARE === "true",
     heartbeatSchedulerEnabled: process.env.HEARTBEAT_SCHEDULER_ENABLED !== "false",
     heartbeatSchedulerIntervalMs: Math.max(10000, Number(process.env.HEARTBEAT_SCHEDULER_INTERVAL_MS) || 30000),