Fix Foundry auth: migrate to Better Auth adapter, fix access token retrieval

- Remove @ts-nocheck from better-auth.ts, auth-user/index.ts, app-shell.ts
  and fix all type errors
- Fix getAccessTokenForSession: read GitHub token directly from account
  record instead of calling Better Auth's internal /get-access-token
  endpoint which returns 403 on server-side calls
- Re-implement workspaceAuth helper functions (workspaceAuthColumn,
  normalizeAuthValue, workspaceAuthClause, workspaceAuthWhere) that were
  accidentally deleted
- Remove all retry logic (withRetries, isRetryableAppActorError)
- Implement CORS origin allowlist from configured environment
- Document cachedAppWorkspace singleton pattern
- Add inline org sync fallback in buildAppSnapshot for post-OAuth flow
- Add no-retry rule to CLAUDE.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.env.development.example

@@ -1,10 +1,14 @@
-# Load this file only when NODE_ENV=development.
-# The backend does not load dotenv files in production.
+# Foundry local development environment.
+# Copy ~/misc/the-foundry.env to .env in the repo root to populate secrets.
+# .env is gitignored — never commit it. The source of truth is ~/misc/the-foundry.env.
+#
+# Docker Compose (just foundry-dev) and the justfile (set dotenv-load := true)
+# both read .env automatically.
 
 APP_URL=http://localhost:4173
 BETTER_AUTH_URL=http://localhost:4173
 BETTER_AUTH_SECRET=sandbox-agent-foundry-development-only-change-me
-GITHUB_REDIRECT_URI=http://localhost:4173/api/rivet/app/auth/github/callback
+GITHUB_REDIRECT_URI=http://localhost:4173/v1/auth/github/callback
 
 # Fill these in when enabling live GitHub OAuth.
 GITHUB_CLIENT_ID=