fix(api,web): separate workspace context from auth session (#534)

BetterAuth session responses contain only identity fields — workspace
context (workspaceId, currentWorkspaceId) was never returned, causing
"Workspace ID is required" on every guarded endpoint after login.

Add GET /api/workspaces endpoint (AuthGuard only, no WorkspaceGuard)
that returns user workspace memberships with auto-provisioning for
new users. Frontend auth-context now fetches workspaces after session
check and persists the default to localStorage. Race condition in
auto-provisioning is guarded by re-querying inside the transaction.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

packages/shared/src/types/auth.types.ts

@@ -13,9 +13,14 @@ export interface AuthUser {
   name: string;
   image?: string;
   emailVerified?: boolean;
-  // Workspace context (added for workspace-scoped operations)
+  /**
+   * @deprecated Never populated by BetterAuth session. Workspace context is
+   * fetched separately via GET /api/workspaces. Will be removed in a future pass.
+   */
   workspaceId?: string;
+  /** @deprecated See workspaceId. */
   currentWorkspaceId?: string;
+  /** @deprecated See workspaceId. */
   workspaceRole?: string;
 }