feat: scoped contracts

[migmartri]

This PR introduces the concept of scoped contracts, see #2190 for more information, but basically what it does is that Contracts can now be either global (like they have been until now) or project scoped.

Creation

• Global contracts can only be created by admins, through contract create command
• Member users can only create scoped contracts and hence they are forced to provide the project name during creation
• Default contracts created automatically during attestation process or workflow creation are scoped by default

Update / Deletion

• admins can update and delete both global and scoped contracts
• members can only update and delete the contracts they have access to through their projects

List / describe

• admins can see all the contracts
• members can see their contracts and the global ones

Additionally I've updated the API and CLI to show information about the scope

┌──────────────────┬─────────────────┬─────────────────────┬─────────────────────┬─────────────┬──────────────────────┐
│ NAME             │ LATEST REVISION │ CREATED AT          │ UPDATED AT          │ # WORKFLOWS │ SCOPE                │
├──────────────────┼─────────────────┼─────────────────────┼─────────────────────┼─────────────┼──────────────────────┤
│ from-sarah-2-foo │               1 │ 10 Jul 25 11:43 UTC │ 10 Jul 25 11:43 UTC │           1 │ project/from-sarah-2 │
│ from-admin-foo   │               1 │ 10 Jul 25 11:43 UTC │ 10 Jul 25 11:43 UTC │           1 │ project/from-admin   │
│ global-contract  │               1 │ 10 Jul 25 11:42 UTC │ 10 Jul 25 11:42 UTC │           0 │ org                  │
│ from-john-my-wf  │               1 │ 10 Jul 25 10:58 UTC │ 10 Jul 25 10:58 UTC │           1 │ project/from-john    │
│ from-sarah-foo   │               1 │ 10 Jul 25 10:57 UTC │ 10 Jul 25 10:57 UTC │           1 │ project/from-sarah   │
└──────────────────┴─────────────────┴─────────────────────┴─────────────────────┴─────────────┴──────────────────────┘

Attestation process

If during the attestation process the user desires to use an existing contract in the system, we make sure it's either global or from the project where the attestation is being performed, otherwise

 authorization error: contract "from-admin-foo" is scoped to a different project

Some notes:

• contract names are unique regardless of their scope; this might change in the future
• there is no way to promote a scoped contract into a global one

Closes #2190