Add user names, team-scoped sandbox guard, and login robustness fixes

- Add name column to users (migration + sqlc regen); propagate through JWT
  claims, auth context, all auth/OAuth handlers, service layer, and frontend
- Sidebar and team page show name instead of email; team page splits Name/Email
  into separate columns
- Block sandbox creation in UI and API when user has no active team context
- loginTeam helper falls back to first active team when no default is set,
  fixing login for invited users with no is_default membership
- Exclude soft-deleted teams from GetDefaultTeamForUser, GetBYOCTeams queries
- Guard host creation against soft-deleted teams in service/host.go
- SwitchTeam re-fetches name from DB instead of trusting stale JWT claim
- Reset teams store on login so stale data from a previous session never persists
- Update openapi.yaml: add name to SignupRequest and AuthResponse schemas

internal/service/team.go

@@ -33,9 +33,10 @@ type TeamWithRole struct {
 	Role string `json:"role"`
 }
 
-// MemberInfo is a team member with resolved email.
+// MemberInfo is a team member with resolved user details.
 type MemberInfo struct {
 	UserID   string    `json:"user_id"`
+	Name     string    `json:"name"`
 	Email    string    `json:"email"`
 	Role     string    `json:"role"`
 	JoinedAt time.Time `json:"joined_at"`
@@ -215,6 +216,7 @@ func (s *TeamService) GetMembers(ctx context.Context, teamID string) ([]MemberIn
 		}
 		members[i] = MemberInfo{
 			UserID:   r.ID,
+			Name:     r.Name,
 			Email:    r.Email,
 			Role:     r.Role,
 			JoinedAt: joinedAt,
@@ -262,7 +264,7 @@ func (s *TeamService) AddMember(ctx context.Context, teamID, callerUserID, email
 		return MemberInfo{}, fmt.Errorf("insert member: %w", err)
 	}
 
-	return MemberInfo{UserID: target.ID, Email: target.Email, Role: "member"}, nil
+	return MemberInfo{UserID: target.ID, Name: target.Name, Email: target.Email, Role: "member"}, nil
 }
 
 // RemoveMember removes a user from the team.