feat(organizations): create module (models, controllers, routes, services)

[PierreBrisorgueil]

Description

Create the organizations module with Organization and Membership models, full CRUD, member management, and platform admin routes.

Details

Models

• organizations.model.js: name, slug, plan (default: free), domain, createdBy, timestamps
• organizations.membership.model.js: userId, organizationId, role (owner/admin/member), timestamps

Controllers & Routes

Organization-scoped (require membership):

• POST /api/organizations — create organization (creator becomes owner)
• GET /api/organizations — list user's organizations
• GET /api/organizations/:organizationId — get organization details
• PUT /api/organizations/:organizationId — update organization (admin+)
• DELETE /api/organizations/:organizationId — delete organization (owner only)
• GET /api/organizations/:organizationId/members — list members
• POST /api/organizations/:organizationId/members/invite — invite by email (admin+)
• PUT /api/organizations/:organizationId/members/:memberId — change role (owner only for owner role)
• DELETE /api/organizations/:organizationId/members/:memberId — remove member (admin+)

Platform admin routes (require user.roles includes 'admin'):

• GET /api/admin/organizations — list ALL organizations
• GET /api/admin/organizations/:organizationId — detail of any organization
• DELETE /api/admin/organizations/:organizationId — delete any organization

Naming convention

• All membership-related files use organizations.membership.* prefix
• Full names everywhere: organization, organizationId, currentOrganization — no abbreviations

Merge order

Depends on #3220 (CASL refactor). Must be merged AFTER it.

Acceptance criteria

• Organization CRUD works
• Member invite/remove/role-change works
• Owner role management restricted to owners + platform admins
• Platform admin can list/access/delete any organization
• Invitation by email with token and expiry
• Unit and integration tests