Add user names, team-scoped sandbox guard, and login robustness fixes

- Add name column to users (migration + sqlc regen); propagate through JWT
  claims, auth context, all auth/OAuth handlers, service layer, and frontend
- Sidebar and team page show name instead of email; team page splits Name/Email
  into separate columns
- Block sandbox creation in UI and API when user has no active team context
- loginTeam helper falls back to first active team when no default is set,
  fixing login for invited users with no is_default membership
- Exclude soft-deleted teams from GetDefaultTeamForUser, GetBYOCTeams queries
- Guard host creation against soft-deleted teams in service/host.go
- SwitchTeam re-fetches name from DB instead of trusting stale JWT claim
- Reset teams store on login so stale data from a previous session never persists
- Update openapi.yaml: add name to SignupRequest and AuthResponse schemas

internal/api/handlers_team.go

@@ -36,6 +36,7 @@ type teamWithRoleResponse struct {
 
 type memberResponse struct {
 	UserID   string `json:"user_id"`
+	Name     string `json:"name"`
 	Email    string `json:"email"`
 	Role     string `json:"role"`
 	JoinedAt string `json:"joined_at,omitempty"`
@@ -56,6 +57,7 @@ func teamToResponse(t db.Team) teamResponse {
 func memberInfoToResponse(m service.MemberInfo) memberResponse {
 	return memberResponse{
 		UserID:   m.UserID,
+		Name:     m.Name,
 		Email:    m.Email,
 		Role:     m.Role,
 		JoinedAt: m.JoinedAt.Format(time.RFC3339),