feat(server): integrate Better Auth, access control, and deployment mode startup

Wire up Better Auth for session-based authentication. Add actor middleware
that resolves local_trusted mode to an implicit board actor and authenticated
mode to Better Auth sessions. Add access service with membership, permission,
invite, and join-request management. Register access routes for member/invite/
join-request CRUD. Update health endpoint to report deployment mode and
bootstrap status. Enforce tasks:assign and agents:create permissions in issue
and agent routes. Add deployment mode validation at startup with guardrails
(loopback-only for local_trusted, auth config required for authenticated).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/src/types/express.d.ts

@@ -4,12 +4,15 @@ declare global {
   namespace Express {
     interface Request {
       actor: {
-        type: "board" | "agent";
+        type: "board" | "agent" | "none";
         userId?: string;
         agentId?: string;
         companyId?: string;
+        companyIds?: string[];
+        isInstanceAdmin?: boolean;
         keyId?: string;
         runId?: string;
+        source?: "local_implicit" | "session" | "agent_key" | "agent_jwt" | "none";
       };
     }
   }