[codex] Add resource membership controls (#6677)

## Thinking Path

> - Paperclip orchestrates AI-agent companies through company-scoped
issues, projects, agents, and board-visible workflows.
> - The board sidebar and project list are the daily navigation surface
for that control plane.
> - Users need to keep all projects and agents accessible while hiding
resources they have intentionally left from their own sidebar.
> - That requires user-scoped resource membership state backed by
company-scoped API and database contracts.
> - The branch also needed to preserve HTTP worktree login sessions and
keep the project list easier to scan after membership grouping.
> - This pull request adds resource membership controls, sidebar leave
actions, grouped/sortable project listings, and focused tests.
> - The benefit is a cleaner personal workspace view without weakening
company-scoped access to the underlying project or agent detail pages.

## What Changed

- Added `project_memberships` and `agent_memberships` tables with
API/shared/server contracts for current-user join/leave state.
- Renumbered the membership migration to `0090_resource_memberships`
after rebasing onto current `master`, and made it idempotent for anyone
who had applied the old branch-local `0087` migration.
- Added project and agent sidebar leave actions, plus list filtering
that waits for membership state before hiding resources.
- Added grouped project listing, project sorting controls, and reserved
row subtitle height for cleaner scanning.
- Fixed HTTP auth cookie security handling so HTTP worktree sessions can
persist.
- Updated focused server and UI tests for the new membership, sidebar,
project list, and auth behavior.

## Verification

- `pnpm exec vitest run server/src/__tests__/better-auth.test.ts
server/src/__tests__/resource-memberships-routes.test.ts
ui/src/pages/Projects.test.tsx
ui/src/components/SidebarProjects.test.tsx
ui/src/components/SidebarAgents.test.tsx
ui/src/components/MembershipAction.test.tsx
ui/src/components/EntityRow.test.tsx`
- Confirmed the branch is rebased on current `origin/master`.
- Confirmed the PR diff does not include `pnpm-lock.yaml` or
`.github/workflows` changes.

## Risks

- Migration safety: low to medium. The migration now uses `IF NOT
EXISTS` / guarded constraints and is numbered after current master
migrations, but it should still get CI coverage against fresh databases.
- UI behavior: low. Left resources are hidden from sidebar only after
membership state loads; direct detail access remains available.
- Auth behavior: low. Cookie security is relaxed only for HTTP/private
local-style origins where secure cookies would prevent login
persistence.

> For core feature work, check [`ROADMAP.md`](ROADMAP.md) first and
discuss it in `#dev` before opening the PR. Feature PRs that overlap
with planned core work may need to be redirected — check the roadmap
first. See `CONTRIBUTING.md`.

## Model Used

- OpenAI GPT-5 Codex coding agent, tool-enabled shell/git workflow,
context window not exposed by runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have checked ROADMAP.md and confirmed this PR does not duplicate
planned core work
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

Screenshot note: no browser screenshots were captured in this heartbeat;
the UI changes are covered by focused component tests above.

---------

Co-authored-by: Paperclip <noreply@paperclip.ing>

server/src/services/index.ts

@@ -42,6 +42,7 @@ export { classifyIssueGraphLiveness, type IssueLivenessFinding } from "./recover
 export { dashboardService } from "./dashboard.js";
 export { sidebarBadgeService } from "./sidebar-badges.js";
 export { sidebarPreferenceService } from "./sidebar-preferences.js";
+export { resourceMembershipService, type ResourceMembershipPolicyHook } from "./resource-memberships.js";
 export { inboxDismissalService } from "./inbox-dismissals.js";
 export { accessService } from "./access.js";
 export {

server/src/services/resource-memberships.ts

@@ -0,0 +1,318 @@
+import { and, eq } from "drizzle-orm";
+import type { Db } from "@paperclipai/db";
+import {
+  agentMemberships,
+  agents,
+  projectMemberships,
+  projects,
+} from "@paperclipai/db";
+import type {
+  ResourceMembershipResourceType,
+  ResourceMembershipState,
+  ResourceMemberships,
+  ResourceMembershipUpdateResult,
+} from "@paperclipai/shared";
+import { forbidden, notFound } from "../errors.js";
+import { logger } from "../middleware/logger.js";
+
+type BoardActor = {
+  type: "board" | "agent" | "none";
+  userId?: string;
+  companyIds?: string[];
+  memberships?: Array<{
+    companyId: string;
+    membershipRole?: string | null;
+    status?: string;
+  }>;
+  isInstanceAdmin?: boolean;
+  source?: string;
+};
+
+type PolicyDecision = {
+  allowed: boolean;
+  reason?: string | null;
+  source?: string | null;
+};
+
+export type ResourceMembershipPolicyHook = (input: {
+  actor: BoardActor;
+  companyId: string;
+  userId: string;
+  resourceType: ResourceMembershipResourceType;
+  resourceId: string;
+  state: ResourceMembershipState;
+}) => Promise<PolicyDecision> | PolicyDecision;
+
+type ResourceMembershipServiceOptions = {
+  policyHook?: ResourceMembershipPolicyHook | null;
+};
+
+function defaultJoinedMap<T extends { projectId?: string; agentId?: string; state: string }>(
+  rows: T[],
+  key: "projectId" | "agentId",
+): Record<string, ResourceMembershipState> {
+  const result: Record<string, ResourceMembershipState> = {};
+  for (const row of rows) {
+    const id = row[key];
+    if (typeof id !== "string") continue;
+    result[id] = row.state === "left" ? "left" : "joined";
+  }
+  return result;
+}
+
+function latestDate(...dates: Array<Date | null | undefined>): Date | null {
+  let latest: Date | null = null;
+  for (const date of dates) {
+    if (!date) continue;
+    if (!latest || date.getTime() > latest.getTime()) latest = date;
+  }
+  return latest;
+}
+
+function assertBoardSelfMembershipAccess(actor: BoardActor, companyId: string, userId: string) {
+  if (actor.type !== "board" || !actor.userId) {
+    throw forbidden("Board user access required");
+  }
+  if (actor.userId !== userId) {
+    throw forbidden("Users may only update their own resource memberships");
+  }
+  if (actor.source === "local_implicit" || actor.isInstanceAdmin) {
+    return;
+  }
+  const membership = actor.memberships?.find((item) => item.companyId === companyId);
+  if (!membership || membership.status !== "active") {
+    throw forbidden("User does not have active company access");
+  }
+}
+
+async function evaluatePolicy(
+  hook: ResourceMembershipPolicyHook | null | undefined,
+  input: Parameters<ResourceMembershipPolicyHook>[0],
+): Promise<PolicyDecision> {
+  if (!hook) return { allowed: true, source: "oss_default" };
+  try {
+    const decision = await hook(input);
+    return {
+      allowed: decision.allowed === true,
+      reason: decision.reason ?? null,
+      source: decision.source ?? "policy_hook",
+    };
+  } catch (err) {
+    logger.warn(
+      { err, companyId: input.companyId, resourceType: input.resourceType, resourceId: input.resourceId },
+      "resource membership policy hook failed closed",
+    );
+    return { allowed: false, reason: "policy_hook_failed", source: "policy_hook" };
+  }
+}
+
+export function resourceMembershipService(db: Db, options: ResourceMembershipServiceOptions = {}) {
+  const policyHook = options.policyHook ?? null;
+
+  async function assertMutationAllowed(input: {
+    actor: BoardActor;
+    companyId: string;
+    userId: string;
+    resourceType: ResourceMembershipResourceType;
+    resourceId: string;
+    state: ResourceMembershipState;
+  }): Promise<PolicyDecision> {
+    assertBoardSelfMembershipAccess(input.actor, input.companyId, input.userId);
+    const decision = await evaluatePolicy(policyHook, input);
+    if (!decision.allowed) {
+      logger.warn(
+        {
+          companyId: input.companyId,
+          userId: input.userId,
+          resourceType: input.resourceType,
+          resourceId: input.resourceId,
+          reason: decision.reason ?? "denied",
+          source: decision.source ?? "policy_hook",
+        },
+        "resource membership mutation denied",
+      );
+      throw forbidden("Resource membership policy denied this request");
+    }
+    return decision;
+  }
+
+  return {
+    async listForUser(companyId: string, userId: string, actor: BoardActor): Promise<ResourceMemberships> {
+      assertBoardSelfMembershipAccess(actor, companyId, userId);
+      const [projectRows, agentRows] = await Promise.all([
+        db
+          .select({
+            projectId: projectMemberships.projectId,
+            state: projectMemberships.state,
+            updatedAt: projectMemberships.updatedAt,
+          })
+          .from(projectMemberships)
+          .where(and(
+            eq(projectMemberships.companyId, companyId),
+            eq(projectMemberships.userId, userId),
+          )),
+        db
+          .select({
+            agentId: agentMemberships.agentId,
+            state: agentMemberships.state,
+            updatedAt: agentMemberships.updatedAt,
+          })
+          .from(agentMemberships)
+          .where(and(
+            eq(agentMemberships.companyId, companyId),
+            eq(agentMemberships.userId, userId),
+          )),
+      ]);
+      return {
+        projectMemberships: defaultJoinedMap(projectRows, "projectId"),
+        agentMemberships: defaultJoinedMap(agentRows, "agentId"),
+        updatedAt: latestDate(
+          ...projectRows.map((row) => row.updatedAt),
+          ...agentRows.map((row) => row.updatedAt),
+        ),
+      };
+    },
+
+    async updateProject(input: {
+      companyId: string;
+      userId: string;
+      projectId: string;
+      state: ResourceMembershipState;
+      actor: BoardActor;
+    }): Promise<ResourceMembershipUpdateResult & { changed: boolean; policySource: string }> {
+      const project = await db.query.projects.findFirst({
+        where: and(
+          eq(projects.id, input.projectId),
+          eq(projects.companyId, input.companyId),
+        ),
+      });
+      if (!project) throw notFound("Project not found");
+      const decision = await assertMutationAllowed({
+        actor: input.actor,
+        companyId: input.companyId,
+        userId: input.userId,
+        resourceType: "project",
+        resourceId: input.projectId,
+        state: input.state,
+      });
+
+      const existing = await db.query.projectMemberships.findFirst({
+        where: and(
+          eq(projectMemberships.companyId, input.companyId),
+          eq(projectMemberships.userId, input.userId),
+          eq(projectMemberships.projectId, input.projectId),
+        ),
+      });
+      const previousState: ResourceMembershipState = existing?.state === "left" ? "left" : "joined";
+      if (previousState === input.state) {
+        return {
+          resourceType: "project",
+          resourceId: input.projectId,
+          state: input.state,
+          updatedAt: existing?.updatedAt ?? new Date(),
+          changed: false,
+          policySource: decision.source ?? "oss_default",
+        };
+      }
+
+      const now = new Date();
+      const [row] = await db
+        .insert(projectMemberships)
+        .values({
+          companyId: input.companyId,
+          projectId: input.projectId,
+          userId: input.userId,
+          state: input.state,
+          updatedAt: now,
+        })
+        .onConflictDoUpdate({
+          target: [projectMemberships.companyId, projectMemberships.userId, projectMemberships.projectId],
+          set: {
+            state: input.state,
+            updatedAt: now,
+          },
+        })
+        .returning();
+
+      return {
+        resourceType: "project",
+        resourceId: input.projectId,
+        state: row?.state === "left" ? "left" : "joined",
+        updatedAt: row?.updatedAt ?? now,
+        changed: true,
+        policySource: decision.source ?? "oss_default",
+      };
+    },
+
+    async updateAgent(input: {
+      companyId: string;
+      userId: string;
+      agentId: string;
+      state: ResourceMembershipState;
+      actor: BoardActor;
+    }): Promise<ResourceMembershipUpdateResult & { changed: boolean; policySource: string }> {
+      const agent = await db.query.agents.findFirst({
+        where: and(
+          eq(agents.id, input.agentId),
+          eq(agents.companyId, input.companyId),
+        ),
+      });
+      if (!agent) throw notFound("Agent not found");
+      const decision = await assertMutationAllowed({
+        actor: input.actor,
+        companyId: input.companyId,
+        userId: input.userId,
+        resourceType: "agent",
+        resourceId: input.agentId,
+        state: input.state,
+      });
+
+      const existing = await db.query.agentMemberships.findFirst({
+        where: and(
+          eq(agentMemberships.companyId, input.companyId),
+          eq(agentMemberships.userId, input.userId),
+          eq(agentMemberships.agentId, input.agentId),
+        ),
+      });
+      const previousState: ResourceMembershipState = existing?.state === "left" ? "left" : "joined";
+      if (previousState === input.state) {
+        return {
+          resourceType: "agent",
+          resourceId: input.agentId,
+          state: input.state,
+          updatedAt: existing?.updatedAt ?? new Date(),
+          changed: false,
+          policySource: decision.source ?? "oss_default",
+        };
+      }
+
+      const now = new Date();
+      const [row] = await db
+        .insert(agentMemberships)
+        .values({
+          companyId: input.companyId,
+          agentId: input.agentId,
+          userId: input.userId,
+          state: input.state,
+          updatedAt: now,
+        })
+        .onConflictDoUpdate({
+          target: [agentMemberships.companyId, agentMemberships.userId, agentMemberships.agentId],
+          set: {
+            state: input.state,
+            updatedAt: now,
+          },
+        })
+        .returning();
+
+      return {
+        resourceType: "agent",
+        resourceId: input.agentId,
+        state: row?.state === "left" ? "left" : "joined",
+        updatedAt: row?.updatedAt ?? now,
+        changed: true,
+        policySource: decision.source ?? "oss_default",
+      };
+    },
+  };
+}