fix: project list should use RBAC filtering, not ownerId

The list endpoint was filtering by ownerId before RBAC could include
projects the user has view access to via name-scoped bindings.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/mcpd/src/routes/projects.ts

@@ -2,9 +2,9 @@ import type { FastifyInstance } from 'fastify';
 import type { ProjectService } from '../services/project.service.js';
 
 export function registerProjectRoutes(app: FastifyInstance, service: ProjectService): void {
-  app.get('/api/v1/projects', async (request) => {
-    // If authenticated, filter by owner; otherwise list all
-    return service.list(request.userId);
+  app.get('/api/v1/projects', async () => {
+    // RBAC preSerialization hook handles access filtering
+    return service.list();
   });
 
   app.get<{ Params: { id: string } }>('/api/v1/projects/:id', async (request) => {