Add optional project scope to API tokens, allowing tokens to be restricted
to a specific project and optionally its sub-projects. This builds on the
existing API token system by adding two new fields: project_id and
include_sub_projects.
Key changes:
- Database migration adding project_id and include_sub_projects columns
- ProjectScopedAuth wrapper type implementing web.Auth with scope info
- AuthUnwrapper interface for transparent auth type unwrapping
- Scope enforcement in project/task permission checks and list queries
- Middleware resolves scoped project IDs (with recursive CTE for sub-projects)
- Frontend: project selector in token creation form, scope display in list
- Tests for scope resolution, permission enforcement, and token creation
https://claude.ai/code/session_015JjPNeSkwxYQNCeMf2PYTi