feat(organizations): org-scoped middleware (resolveOrg + inject membership)

[PierreBrisorgueil]

Description

Create a middleware that resolves the current organization and injects the user's membership into the request. Also add organizationId field to existing models.

Details

Middleware

• resolveOrganization middleware: reads organizationId from route param, header, or JWT
• Loads the membership for (userId, organizationId) from DB
• Injects req.organization and req.membership (with role)
• Returns 403 if user is not a member of the organization
• Platform admin (user.roles.includes('admin')) bypasses membership check

Existing models update

• Add organizationId (ObjectId, ref: Organization) to Task schema
• Add organizationId (ObjectId, ref: Organization) to Upload schema (in metadata)
• Add currentOrganization (ObjectId, ref: Organization) to User schema
• Update Zod validation schemas accordingly

Naming

• req.organization (not req.org)
• req.membership
• organizationId everywhere (not orgId)

Request flow

JWT → passport (req.user) → resolveOrganization (req.organization + req.membership) → defineAbilities → controller

Acceptance criteria

• Middleware resolves organization and membership
• 403 if user is not a member (unless platform admin)
• req.organization and req.membership available in controllers
• Task model has organizationId field
• Upload model has organizationId field
• User model has currentOrganization field
• Existing tests still pass (organizationId optional for backward compat)