feat(client)!: move the client API under /projects/{projectID}

[jeroenrinzema]

The client API derived the project from the authenticating credential, which left trusted-issuer JWTs resolved by their self-asserted iss with no project scope — a cross-tenant resolution gap. This makes the project an explicit path segment on every authenticated client endpoint.

/api/client/...  ->  /api/client/projects/{projectID}/...

{projectID} is the project UUID. Auth headers are unchanged — same API key / trusted-issuer JWT / session token; only the URL gains the project. This is a deliberate hard cut — no backwards-compatible routes.

What changed

• Spec + bindings: all /api/client/* routes moved under /api/client/projects/{projectID}/…; regenerated chi-server bindings (every handler takes projectID). /unsubscribe and /preferences/{projectID}/{userID} (public pages) are untouched.
• Auth (the fix): every credential type fails closed unless its project matches the URL (enforceURLProject). Trusted-issuer resolution is now (project_id, issuer)-scoped, so a self-asserted iss can never reach another project's method.
• Store: GetTrustedIssuer(projectID, issuer); the Redis issuer-cache key is project-namespaced; UNIQUE(project_id, issuer) among active methods (denormalised project column + hard-delete of the trusted-issuer child on soft-delete, so an issuer is freed for re-registration).
• Docs: 9 MDX files updated to the new paths.

Contract delta for clients / SDKs

Every authenticated client endpoint gains /projects/{projectID} after /api/client; the session-mint endpoint becomes /api/client/projects/{projectID}/auth-methods/{authMethodID}/sessions. A credential presented on a different project's URL is rejected (401). SDK PRs are open: lunogram/go-sdk#2, lunogram/js-sdk#7, lunogram/py-sdk#1.

Verification

go build/vet ./..., gofmt clean; auth / store-management / client + management controller / rbac suites pass. New tests cover project mismatch rejection, same-issuer-different-project, and re-registration after delete.

[jeroenrinzema]

Held back from the batch admin-merge. The rest of the stack (#243–#255, #261) is now in main.

Why it can't be merged mechanically: #261 (now merged) replaced the grant_constraints JSON model with the grant_instances row model + request-time CreateConstraints.Enforce. This branch still carries #253's older grant_constraints subsystem (constraints.go, management controller, OpenAPI resources.yml/_gen.go, store, tests). Merging main in produces real semantic conflicts in security-critical auth code — both sides independently rewrote invalidateCaches and DeleteAuthMethod, and the constraints API surface diverged.

What this PR actually wants is the trusted-issuer project-scoping (project_id column + project-scoped cache keys + child-row cleanup on delete) and the /projects/{projectID} URL move. That work should be rebased onto the new grant_instances model: take main's constraints subsystem wholesale, re-apply only the project-scoping diffs, and renumber the migration (1764116042_trusted_issuer_project_scope collides with main's 1764116042_grant_instances → bump to 1764116043).

[jeroenrinzema]

Reworked onto grant_instances — now mergeable ✅

Rebased the two original commits onto current main and reconciled the conflicts the grant_constraints → grant_instances refactor (#261) introduced. Branch history force-pushed; the feature itself (project-in-URL + trusted-issuer project scoping) is unchanged.

What the rebase required:

• Store model: dropped the carried-over setGrantConstraints (main removed the grant_constraints column); kept this PR's DeleteAuthMethod trusted-issuer hard-delete doc. The project-scoped insertTrustedIssuer / GetTrustedIssuer(projectID, issuer) and UNIQUE(project_id, issuer) are intact.
• Migration: renumbered 1764116042_trusted_issuer_project_scope → 1764116043 (collided with main's 1764116042_grant_instances; now ordered after it).
• Store invariants test: the trusted-issuer invariant flipped from globally unique to unique per project, reusable across projects — rewrote it to assert per-project uniqueness and cross-tenant resolution isolation.
• Auth middleware tests (main's, added after this branch's base): WithSession / WithTrustedIssuer now bind to the URL project, so the positive tests run through clientRequestCtx; the issuerDB fake matches the new (project_id, issuer) query.
• Client controller tests: threaded the new ProjectID path param through every stale handler call site (uuid.Nil where the controller derives the project from the actor; the real project where CreateSession enforces URL == method project).

Verification: go vet ./... clean; full go test ./... green (37 packages).

Dependency note: this branch includes the fix(client/tests) commit from #266 (the standalone main-CI fix) so it builds and tests green on its own. #266 is the minimal fix for main and should merge first; once it lands, that commit becomes a no-op here on rebase. Merging this PR alone also resolves the main-CI break.