[codex] Add resource membership controls (#6677)

## Thinking Path

> - Paperclip orchestrates AI-agent companies through company-scoped
issues, projects, agents, and board-visible workflows.
> - The board sidebar and project list are the daily navigation surface
for that control plane.
> - Users need to keep all projects and agents accessible while hiding
resources they have intentionally left from their own sidebar.
> - That requires user-scoped resource membership state backed by
company-scoped API and database contracts.
> - The branch also needed to preserve HTTP worktree login sessions and
keep the project list easier to scan after membership grouping.
> - This pull request adds resource membership controls, sidebar leave
actions, grouped/sortable project listings, and focused tests.
> - The benefit is a cleaner personal workspace view without weakening
company-scoped access to the underlying project or agent detail pages.

## What Changed

- Added `project_memberships` and `agent_memberships` tables with
API/shared/server contracts for current-user join/leave state.
- Renumbered the membership migration to `0090_resource_memberships`
after rebasing onto current `master`, and made it idempotent for anyone
who had applied the old branch-local `0087` migration.
- Added project and agent sidebar leave actions, plus list filtering
that waits for membership state before hiding resources.
- Added grouped project listing, project sorting controls, and reserved
row subtitle height for cleaner scanning.
- Fixed HTTP auth cookie security handling so HTTP worktree sessions can
persist.
- Updated focused server and UI tests for the new membership, sidebar,
project list, and auth behavior.

## Verification

- `pnpm exec vitest run server/src/__tests__/better-auth.test.ts
server/src/__tests__/resource-memberships-routes.test.ts
ui/src/pages/Projects.test.tsx
ui/src/components/SidebarProjects.test.tsx
ui/src/components/SidebarAgents.test.tsx
ui/src/components/MembershipAction.test.tsx
ui/src/components/EntityRow.test.tsx`
- Confirmed the branch is rebased on current `origin/master`.
- Confirmed the PR diff does not include `pnpm-lock.yaml` or
`.github/workflows` changes.

## Risks

- Migration safety: low to medium. The migration now uses `IF NOT
EXISTS` / guarded constraints and is numbered after current master
migrations, but it should still get CI coverage against fresh databases.
- UI behavior: low. Left resources are hidden from sidebar only after
membership state loads; direct detail access remains available.
- Auth behavior: low. Cookie security is relaxed only for HTTP/private
local-style origins where secure cookies would prevent login
persistence.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI GPT-5 Codex coding agent, tool-enabled shell/git workflow,
context window not exposed by runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

Screenshot note: no browser screenshots were captured in this heartbeat;
the UI changes are covered by focused component tests above.

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>

server/src/routes/index.ts

@@ -14,6 +14,7 @@ export { activityRoutes } from "./activity.js";
 export { dashboardRoutes } from "./dashboard.js";
 export { sidebarBadgeRoutes } from "./sidebar-badges.js";
 export { sidebarPreferenceRoutes } from "./sidebar-preferences.js";
+export { resourceMembershipRoutes } from "./resource-memberships.js";
 export { inboxDismissalRoutes } from "./inbox-dismissals.js";
 export { llmRoutes } from "./llms.js";
 export { accessRoutes } from "./access.js";

server/src/routes/resource-memberships.ts

@@ -0,0 +1,120 @@
+import { Router, type Request, type Response } from "express";
+import type { Db } from "@paperclipai/db";
+import { updateResourceMembershipSchema } from "@paperclipai/shared";
+import { validate } from "../middleware/validate.js";
+import { getActorInfo } from "./authz.js";
+import { logActivity, resourceMembershipService } from "../services/index.js";
+
+function requireBoardUserId(req: Request, res: Response): string | null {
+  if (req.actor.type !== "board" || !req.actor.userId) {
+    res.status(403).json({ error: "Board user access required" });
+    return null;
+  }
+  return req.actor.userId;
+}
+
+async function logMembershipChange(
+  db: Db,
+  req: Request,
+  input: {
+    companyId: string;
+    userId: string;
+    resourceType: "project" | "agent";
+    resourceId: string;
+    state: "joined" | "left";
+    policySource: string;
+  },
+) {
+  const actor = getActorInfo(req);
+  await logActivity(db, {
+    companyId: input.companyId,
+    actorType: actor.actorType,
+    actorId: actor.actorId,
+    agentId: actor.agentId,
+    runId: actor.runId,
+    action: `resource_membership.${input.state}`,
+    entityType: input.resourceType,
+    entityId: input.resourceId,
+    details: {
+      userId: input.userId,
+      resourceType: input.resourceType,
+      resourceId: input.resourceId,
+      state: input.state,
+      policySource: input.policySource,
+    },
+  });
+}
+
+export function resourceMembershipRoutes(db: Db) {
+  const router = Router();
+  const svc = resourceMembershipService(db);
+
+  router.get("/companies/:companyId/resource-memberships/me", async (req, res) => {
+    const companyId = req.params.companyId as string;
+    const userId = requireBoardUserId(req, res);
+    if (!userId) return;
+    res.json(await svc.listForUser(companyId, userId, req.actor));
+  });
+
+  router.put(
+    "/companies/:companyId/resource-memberships/me/projects/:projectId",
+    validate(updateResourceMembershipSchema),
+    async (req, res) => {
+      const companyId = req.params.companyId as string;
+      const projectId = req.params.projectId as string;
+      const userId = requireBoardUserId(req, res);
+      if (!userId) return;
+      const result = await svc.updateProject({
+        companyId,
+        projectId,
+        userId,
+        state: req.body.state,
+        actor: req.actor,
+      });
+      if (result.changed) {
+        await logMembershipChange(db, req, {
+          companyId,
+          userId,
+          resourceType: "project",
+          resourceId: projectId,
+          state: result.state,
+          policySource: result.policySource,
+        });
+      }
+      const { changed: _changed, policySource: _policySource, ...response } = result;
+      res.json(response);
+    },
+  );
+
+  router.put(
+    "/companies/:companyId/resource-memberships/me/agents/:agentId",
+    validate(updateResourceMembershipSchema),
+    async (req, res) => {
+      const companyId = req.params.companyId as string;
+      const agentId = req.params.agentId as string;
+      const userId = requireBoardUserId(req, res);
+      if (!userId) return;
+      const result = await svc.updateAgent({
+        companyId,
+        agentId,
+        userId,
+        state: req.body.state,
+        actor: req.actor,
+      });
+      if (result.changed) {
+        await logMembershipChange(db, req, {
+          companyId,
+          userId,
+          resourceType: "agent",
+          resourceId: agentId,
+          state: result.state,
+          policySource: result.policySource,
+        });
+      }
+      const { changed: _changed, policySource: _policySource, ...response } = result;
+      res.json(response);
+    },
+  );
+
+  return router;
+}