[WIP] Review Meshspaces auth, login, session, and permission model

[Copilot]

• Explore repository structure, auth model, session/CSRF, API keys, permissions, docs
• Create docs/meshspaces-review/ directory
• Write docs/meshspaces-review/auth-and-permissions.md findings/spec report covering:
  • New mesh creation → initial admin bootstrap → first login flow
  • Shell auth vs child runtime auth boundaries
  • Cookie/session/CSRF behavior across separate mesh runtimes
  • Per-mesh API keys, approval, quarantine, and permission posture
  • Dangerous actions and confirmation patterns (reset/archive/delete)
  • Multi-tab and back-button confusion risks
  • What must remain per-mesh vs machine-global
  • Edge cases and UI/API contract gaps
• Run code review