feat(phase-3): workstream 1 — Multi-Tenancy

Introduces full multi-tenant organization model to AgentIdP:

Schema:
- 6 migrations: organizations + organization_members tables; organization_id FK
  added to agents, credentials, audit_logs; PostgreSQL RLS policies on all three
  tables; system org seed + backfill

API:
- 6 new /api/v1/organizations endpoints (CRUD + members) gated by admin:orgs scope
- OPA scopes.json updated with 6 new org endpoint → admin:orgs mappings

Implementation:
- OrgRepository, OrgService, OrgController, createOrgsRouter
- OrgContextMiddleware: sets app.organization_id session variable so RLS enforces
  per-request org isolation at the database layer
- JWT payload extended with organization_id claim; auth.ts backfills org_system
  for backward-compatible tokens
- New error classes: OrgNotFoundError, OrgHasActiveAgentsError, AlreadyMemberError

Tests: 373 passing, 80.64% branch coverage, zero any types

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/unit/services/AgentService.test.ts

@@ -25,6 +25,7 @@ const MockAuditService = AuditService as jest.MockedClass<typeof AuditService>;
 
 const MOCK_AGENT: IAgent = {
   agentId: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+  organizationId: 'org_system',
   email: 'agent@sentryagent.ai',
   agentType: 'screener',
   version: '1.0.0',
@@ -159,6 +160,69 @@ describe('AgentService', () => {
         agentService.updateAgent(MOCK_AGENT.agentId, { version: '2.0.0' }, IP, UA),
       ).rejects.toThrow(AgentAlreadyDecommissionedError);
     });
+
+    it('should throw AgentNotFoundError when update() returns null (race condition)', async () => {
+      agentRepo.findById.mockResolvedValue(MOCK_AGENT);
+      agentRepo.update.mockResolvedValue(null);
+      await expect(
+        agentService.updateAgent(MOCK_AGENT.agentId, { version: '2.0.0' }, IP, UA),
+      ).rejects.toThrow(AgentNotFoundError);
+    });
+
+    it('should log agent.suspended audit action when status changes to suspended', async () => {
+      const updated = { ...MOCK_AGENT, status: 'suspended' as const };
+      agentRepo.findById.mockResolvedValue(MOCK_AGENT);
+      agentRepo.update.mockResolvedValue(updated);
+      auditService.logEvent.mockResolvedValue({} as never);
+
+      await agentService.updateAgent(MOCK_AGENT.agentId, { status: 'suspended' }, IP, UA);
+
+      expect(auditService.logEvent).toHaveBeenCalledWith(
+        MOCK_AGENT.agentId,
+        'agent.suspended',
+        'success',
+        IP,
+        UA,
+        expect.any(Object),
+      );
+    });
+
+    it('should log agent.reactivated audit action when status changes from suspended to active', async () => {
+      const suspended = { ...MOCK_AGENT, status: 'suspended' as const };
+      const reactivated = { ...MOCK_AGENT, status: 'active' as const };
+      agentRepo.findById.mockResolvedValue(suspended);
+      agentRepo.update.mockResolvedValue(reactivated);
+      auditService.logEvent.mockResolvedValue({} as never);
+
+      await agentService.updateAgent(suspended.agentId, { status: 'active' }, IP, UA);
+
+      expect(auditService.logEvent).toHaveBeenCalledWith(
+        suspended.agentId,
+        'agent.reactivated',
+        'success',
+        IP,
+        UA,
+        expect.any(Object),
+      );
+    });
+
+    it('should log agent.decommissioned audit action when status changes to decommissioned via update', async () => {
+      const updated = { ...MOCK_AGENT, status: 'decommissioned' as const };
+      agentRepo.findById.mockResolvedValue(MOCK_AGENT);
+      agentRepo.update.mockResolvedValue(updated);
+      auditService.logEvent.mockResolvedValue({} as never);
+
+      await agentService.updateAgent(MOCK_AGENT.agentId, { status: 'decommissioned' }, IP, UA);
+
+      expect(auditService.logEvent).toHaveBeenCalledWith(
+        MOCK_AGENT.agentId,
+        'agent.decommissioned',
+        'success',
+        IP,
+        UA,
+        expect.any(Object),
+      );
+    });
   });
 
   // ────────────────────────────────────────────────────────────────