Fix Foundry auth: migrate to Better Auth adapter, fix access token retrieval

- Remove @ts-nocheck from better-auth.ts, auth-user/index.ts, app-shell.ts
  and fix all type errors
- Fix getAccessTokenForSession: read GitHub token directly from account
  record instead of calling Better Auth's internal /get-access-token
  endpoint which returns 403 on server-side calls
- Re-implement workspaceAuth helper functions (workspaceAuthColumn,
  normalizeAuthValue, workspaceAuthClause, workspaceAuthWhere) that were
  accidentally deleted
- Remove all retry logic (withRetries, isRetryableAppActorError)
- Implement CORS origin allowlist from configured environment
- Document cachedAppWorkspace singleton pattern
- Add inline org sync fallback in buildAppSnapshot for post-OAuth flow
- Add no-retry rule to CLAUDE.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

foundry/packages/frontend/src/components/mock-layout.tsx

@@ -727,7 +727,7 @@ const RightRail = memo(function RightRail({
   }, [clampTerminalHeight]);
 
   const startResize = useCallback(
-    (event: ReactPointerEvent<HTMLDivElement>) => {
+    (event: ReactPointerEvent) => {
       event.preventDefault();
 
       const startY = event.clientY;
@@ -914,7 +914,7 @@ export function MockLayout({ workspaceId, selectedTaskId, selectedSessionId }: M
   const activeOrg = activeMockOrganization(appSnapshot);
   const navigateToUsage = useCallback(() => {
     if (activeOrg) {
-      void navigate({ to: "/organizations/$organizationId/billing" as never, params: { organizationId: activeOrg.id } });
+      void navigate({ to: "/organizations/$organizationId/billing" as never, params: { organizationId: activeOrg.id } as never });
     }
   }, [activeOrg, navigate]);
   const [projectOrder, setProjectOrder] = useState<string[] | null>(null);
@@ -1283,7 +1283,11 @@ export function MockLayout({ workspaceId, selectedTaskId, selectedSessionId }: M
   const onDragMouseDown = useCallback((event: ReactPointerEvent) => {
     if (event.button !== 0) return;
     // Tauri v2 IPC: invoke start_dragging on the webview window
-    const ipc = (window as Record<string, unknown>).__TAURI_INTERNALS__ as { invoke: (cmd: string, args?: unknown) => Promise<unknown> } | undefined;
+    const ipc = (window as unknown as Record<string, unknown>).__TAURI_INTERNALS__ as
+      | {
+          invoke: (cmd: string, args?: unknown) => Promise<unknown>;
+        }
+      | undefined;
     if (ipc?.invoke) {
       ipc.invoke("plugin:window|start_dragging").catch(() => {});
     }

foundry/packages/frontend/src/components/mock-layout/terminal-pane.tsx

@@ -135,6 +135,9 @@ export function TerminalPane({ workspaceId, taskId, isExpanded, onExpand, onColl
         setProcessTabs((prev) => {
           const next = [...prev];
           const [moved] = next.splice(d.fromIdx, 1);
+          if (!moved) {
+            return prev;
+          }
           next.splice(d.overIdx!, 0, moved);
           return next;
         });

foundry/packages/frontend/src/components/mock-onboarding.tsx

@@ -56,7 +56,11 @@ function DesktopDragRegion() {
   const isDesktop = !!import.meta.env.VITE_DESKTOP;
   const onDragMouseDown = useCallback((event: React.PointerEvent) => {
     if (event.button !== 0) return;
-    const ipc = (window as Record<string, unknown>).__TAURI_INTERNALS__ as { invoke: (cmd: string, args?: unknown) => Promise<unknown> } | undefined;
+    const ipc = (window as unknown as Record<string, unknown>).__TAURI_INTERNALS__ as
+      | {
+          invoke: (cmd: string, args?: unknown) => Promise<unknown>;
+        }
+      | undefined;
     if (ipc?.invoke) {
       ipc.invoke("plugin:window|start_dragging").catch(() => {});
     }