feat(phase-3): workstream 1 — Multi-Tenancy

Introduces full multi-tenant organization model to AgentIdP:

Schema:
- 6 migrations: organizations + organization_members tables; organization_id FK
  added to agents, credentials, audit_logs; PostgreSQL RLS policies on all three
  tables; system org seed + backfill

API:
- 6 new /api/v1/organizations endpoints (CRUD + members) gated by admin:orgs scope
- OPA scopes.json updated with 6 new org endpoint → admin:orgs mappings

Implementation:
- OrgRepository, OrgService, OrgController, createOrgsRouter
- OrgContextMiddleware: sets app.organization_id session variable so RLS enforces
  per-request org isolation at the database layer
- JWT payload extended with organization_id claim; auth.ts backfills org_system
  for backward-compatible tokens
- New error classes: OrgNotFoundError, OrgHasActiveAgentsError, AlreadyMemberError

Tests: 373 passing, 80.64% branch coverage, zero any types

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/unit/repositories/AgentRepository.test.ts

@@ -18,6 +18,7 @@ jest.mock('pg', () => ({
 
 const AGENT_ROW = {
   agent_id: 'a1b2c3d4-0000-0000-0000-000000000001',
+  organization_id: 'org_system',
   email: 'agent@sentryagent.ai',
   agent_type: 'screener',
   version: '1.0.0',
@@ -31,6 +32,7 @@ const AGENT_ROW = {
 
 const EXPECTED_AGENT: IAgent = {
   agentId: AGENT_ROW.agent_id,
+  organizationId: AGENT_ROW.organization_id,
   email: AGENT_ROW.email,
   agentType: 'screener',
   version: AGENT_ROW.version,