Issues/1263 scope assets to project in scratch

[abcampo-iry]

Status

• Closes partially 1256

What's changed?

Scratch assets are no longer treated as shared by everyone.
Uploaded assets are now linked to a Scratch project using project_id. This means:

• a project can only load its own assets
• remixes can still load assets from ancestor projects
• Scratch library assets still work as global assets
• two different projects can upload the same asset filename

The Scratch asset endpoints are now stricter:

• X-Project-ID is required
• asset reads and uploads are checked against that project
• project SVG assets are no longer served as trusted image/svg+xml
• only global library SVG assets use image/svg+xml

Scratch project access is also stricter:

• only allowed users can open or update a Scratch project
• remix creation reuses an existing remix instead of creating duplicates

There is also a fix for students remixing teacher projects:

• if a student uploads a new Scratch asset before doing the first explicit remix save
• the API now creates or reuses the student’s remix automatically for that asset
• later saves continue using that same remix

The migration adds project_id to scratch_assets and backfills old assets onto the projects that reference them.
If the same old asset is used by multiple projects, the migration creates one asset row per project but reuses the same stored blob, so files are not copied.
Global assets are represented by project_id = nil.

This makes Scratch assets private to the right project instead of globally readable, while still keeping:

• remixes working
• Scratch library assets working
• duplicate uploads across projects working

[github-actions]

Test coverage

89.6% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/24410129041