Wire skills into agent runs: org-scoped, published-only, org-preferred resolution

ISkillCatalog.GetByKeysAsync now takes the org id and resolves each key within that org's namespace
only — the org's own published skill, else a shared builtin (null org), never another org's. Org-owned
is preferred over the builtin; only Published (golden-tested) skills are injected; the resolved
skill@version is recorded in the prompt heading and run trace. AgentRunExecutor threads
context.OrganizationId. SeatsPage now loads the org library (builtins + authored + installed), dedupes
to one entry per key, and flags drafts (won't run until published).

Verified: ArchitectureTests 8/8, IntegrationTests 48/48 (new SkillRunScopingTests: a run assembles the
org's own skill over the builtin of the same key, and another org's same-key skill never leaks in),
client build green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/Modules/TeamUp.Modules.Assembler/Runtime/AgentRunExecutor.cs

@@ -39,7 +39,7 @@ internal sealed class AgentRunExecutor(
             var context = await contextProvider.GetAsync(run.SeatId, run.WorkItemId, cancellationToken)
                 ?? throw new InvalidOperationException("Agent or task not found for the run.");
 
-            var skills = await skillCatalog.GetByKeysAsync(context.SkillKeys, cancellationToken);
+            var skills = await skillCatalog.GetByKeysAsync(context.OrganizationId, context.SkillKeys, cancellationToken);
 
             // Working memory: recall the team's most relevant decisions/corrections for this task.
             var memories = await teamMemory.SearchAsync(