refactor(casl): migrate from route-level to document-level abilities

[PierreBrisorgueil]

Description

Migrate CASL from the current route-level authorization (role + action + route path) to document-level abilities with conditions (organizationId, userId).

Current system

• Policies register rules like { roles: ['user'], actions: 'manage', subject: '/api/tasks' }
• isAllowed middleware checks ability.can(action, routePath)
• Ownership checked separately via isOwner middleware

Target system

• Each module defines abilities with conditions: can('update', 'Task', { organizationId, userId })
• isAllowed middleware checks ability.can(action, subject('Task', document))
• No more isOwner middleware — ownership is a CASL condition
• Abilities are built from (user, membership) instead of just (user)
• Each module exports an xxxAbilities(user, membership, builder) function
• Core collects and merges all module abilities via auto-discovery
• Platform admin role gets can('manage', 'all') — god mode bypassing organization checks

Naming

• organizationId (not orgId)
• req.organization (not req.org)
• req.membership (not req.member)

⚠️ Security: mandatory test-first approach

Currently only 3 authorization tests (403) exist in the whole stack. This refactor MUST:

1. BEFORE refactoring: add exhaustive auth tests for every protected route (expected 403s for unauthorized access)
2. Refactor CASL
3. AFTER refactoring: all old + new tests must pass

Merge order

Depends on #3218 (migration system). Must be merged BEFORE #3219 (organizations module).

Acceptance criteria

• Exhaustive auth tests added BEFORE refactor
• All existing policies migrated to document-level
• isOwner middleware removed, replaced by CASL conditions
• Platform admin gets can('manage', 'all')
• Auto-discovery of modules/*/policies/*.policy.js
• All existing tests pass
• No regression on authorization