Fix Foundry UI bugs: org names, sessions, and repo selection (#250)

* Fix Foundry auth: migrate to Better Auth adapter, fix access token retrieval

- Remove @ts-nocheck from better-auth.ts, auth-user/index.ts, app-shell.ts
  and fix all type errors
- Fix getAccessTokenForSession: read GitHub token directly from account
  record instead of calling Better Auth's internal /get-access-token
  endpoint which returns 403 on server-side calls
- Re-implement workspaceAuth helper functions (workspaceAuthColumn,
  normalizeAuthValue, workspaceAuthClause, workspaceAuthWhere) that were
  accidentally deleted
- Remove all retry logic (withRetries, isRetryableAppActorError)
- Implement CORS origin allowlist from configured environment
- Document cachedAppWorkspace singleton pattern
- Add inline org sync fallback in buildAppSnapshot for post-OAuth flow
- Add no-retry rule to CLAUDE.md

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add Foundry dev panel from fix-git-data branch

Port the dev panel component that was left out when PR #243 was replaced
by PR #247. Adapted to remove runtime/mock-debug references that don't
exist on the current branch.

- Toggle with Shift+D, persists visibility to localStorage
- Shows context, session, GitHub sync status sections
- Dev-only (import.meta.env.DEV)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add full Docker image defaults, fix actor deadlocks, and improve dev experience

- Add Dockerfile.full and --all flag to install-agent CLI for pre-built images
- Centralize Docker image constant (FULL_IMAGE) pinned to 0.3.1-full
- Remove examples/shared/Dockerfile{,.dev} and daytona snapshot example
- Expand Docker docs with full runnable Dockerfile
- Fix self-deadlock in createWorkbenchSession (fire-and-forget provisioning)
- Audit and convert 12 task actions from wait:true to wait:false
- Add bun --hot for dev backend hot reload
- Remove --force from pnpm install in dev Dockerfile for faster startup
- Add env_file support to compose.dev.yaml for automatic credential loading
- Add mock frontend compose config and dev panel
- Update CLAUDE.md with wait:true policy and dev environment setup

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* WIP: async action fixes and interest manager

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Fix Foundry UI bugs: org names, hanging sessions, and wrong repo creation

- Fix org display name using GitHub description instead of name field
- Fix createWorkbenchSession hanging when sandbox is provisioning
- Fix auto-session creation retry storm on errors
- Fix task creation using wrong repo due to React state race conditions
- Remove Bun hot-reload from backend Dockerfile (causes port drift)
- Add GitHub sync/install status to dev panel

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

foundry/packages/backend/src/actors/auth-user/db/db.ts

@@ -0,0 +1,5 @@
+import { db } from "rivetkit/db/drizzle";
+import * as schema from "./schema.js";
+import migrations from "./migrations.js";
+
+export const authUserDb = db({ schema, migrations });

foundry/packages/backend/src/actors/auth-user/db/migrations.ts

@@ -0,0 +1,80 @@
+// This file is generated by src/actors/_scripts/generate-actor-migrations.ts.
+// Source of truth is drizzle-kit output under ./drizzle (meta/_journal.json + *.sql).
+// Do not hand-edit this file.
+
+const journal = {
+  entries: [
+    {
+      idx: 0,
+      when: 1773446400000,
+      tag: "0000_auth_user",
+      breakpoints: true,
+    },
+  ],
+} as const;
+
+export default {
+  journal,
+  migrations: {
+    m0000: `CREATE TABLE \`user\` (
+	\`id\` text PRIMARY KEY NOT NULL,
+	\`name\` text NOT NULL,
+	\`email\` text NOT NULL,
+	\`email_verified\` integer NOT NULL,
+	\`image\` text,
+	\`created_at\` integer NOT NULL,
+	\`updated_at\` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE \`session\` (
+	\`id\` text PRIMARY KEY NOT NULL,
+	\`token\` text NOT NULL,
+	\`user_id\` text NOT NULL,
+	\`expires_at\` integer NOT NULL,
+	\`ip_address\` text,
+	\`user_agent\` text,
+	\`created_at\` integer NOT NULL,
+	\`updated_at\` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX \`session_token_idx\` ON \`session\` (\`token\`);
+--> statement-breakpoint
+CREATE TABLE \`account\` (
+	\`id\` text PRIMARY KEY NOT NULL,
+	\`account_id\` text NOT NULL,
+	\`provider_id\` text NOT NULL,
+	\`user_id\` text NOT NULL,
+	\`access_token\` text,
+	\`refresh_token\` text,
+	\`id_token\` text,
+	\`access_token_expires_at\` integer,
+	\`refresh_token_expires_at\` integer,
+	\`scope\` text,
+	\`password\` text,
+	\`created_at\` integer NOT NULL,
+	\`updated_at\` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX \`account_provider_account_idx\` ON \`account\` (\`provider_id\`, \`account_id\`);
+--> statement-breakpoint
+CREATE TABLE \`user_profiles\` (
+	\`user_id\` text PRIMARY KEY NOT NULL,
+	\`github_account_id\` text,
+	\`github_login\` text,
+	\`role_label\` text NOT NULL,
+	\`eligible_organization_ids_json\` text NOT NULL,
+	\`starter_repo_status\` text NOT NULL,
+	\`starter_repo_starred_at\` integer,
+	\`starter_repo_skipped_at\` integer,
+	\`created_at\` integer NOT NULL,
+	\`updated_at\` integer NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE \`session_state\` (
+	\`session_id\` text PRIMARY KEY NOT NULL,
+	\`active_organization_id\` text,
+	\`created_at\` integer NOT NULL,
+	\`updated_at\` integer NOT NULL
+);`,
+  } as const,
+};

foundry/packages/backend/src/actors/auth-user/db/schema.ts

@@ -0,0 +1,70 @@
+import { integer, sqliteTable, text, uniqueIndex } from "drizzle-orm/sqlite-core";
+
+export const authUsers = sqliteTable("user", {
+  id: text("id").notNull().primaryKey(),
+  name: text("name").notNull(),
+  email: text("email").notNull(),
+  emailVerified: integer("email_verified").notNull(),
+  image: text("image"),
+  createdAt: integer("created_at").notNull(),
+  updatedAt: integer("updated_at").notNull(),
+});
+
+export const authSessions = sqliteTable(
+  "session",
+  {
+    id: text("id").notNull().primaryKey(),
+    token: text("token").notNull(),
+    userId: text("user_id").notNull(),
+    expiresAt: integer("expires_at").notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    createdAt: integer("created_at").notNull(),
+    updatedAt: integer("updated_at").notNull(),
+  },
+  (table) => ({
+    tokenIdx: uniqueIndex("session_token_idx").on(table.token),
+  }),
+);
+
+export const authAccounts = sqliteTable(
+  "account",
+  {
+    id: text("id").notNull().primaryKey(),
+    accountId: text("account_id").notNull(),
+    providerId: text("provider_id").notNull(),
+    userId: text("user_id").notNull(),
+    accessToken: text("access_token"),
+    refreshToken: text("refresh_token"),
+    idToken: text("id_token"),
+    accessTokenExpiresAt: integer("access_token_expires_at"),
+    refreshTokenExpiresAt: integer("refresh_token_expires_at"),
+    scope: text("scope"),
+    password: text("password"),
+    createdAt: integer("created_at").notNull(),
+    updatedAt: integer("updated_at").notNull(),
+  },
+  (table) => ({
+    providerAccountIdx: uniqueIndex("account_provider_account_idx").on(table.providerId, table.accountId),
+  }),
+);
+
+export const userProfiles = sqliteTable("user_profiles", {
+  userId: text("user_id").notNull().primaryKey(),
+  githubAccountId: text("github_account_id"),
+  githubLogin: text("github_login"),
+  roleLabel: text("role_label").notNull(),
+  eligibleOrganizationIdsJson: text("eligible_organization_ids_json").notNull(),
+  starterRepoStatus: text("starter_repo_status").notNull(),
+  starterRepoStarredAt: integer("starter_repo_starred_at"),
+  starterRepoSkippedAt: integer("starter_repo_skipped_at"),
+  createdAt: integer("created_at").notNull(),
+  updatedAt: integer("updated_at").notNull(),
+});
+
+export const sessionState = sqliteTable("session_state", {
+  sessionId: text("session_id").notNull().primaryKey(),
+  activeOrganizationId: text("active_organization_id"),
+  createdAt: integer("created_at").notNull(),
+  updatedAt: integer("updated_at").notNull(),
+});