M1: OrgBoard — organizations, teams, seats, the board & cartable

OrgBoard module (references SharedKernel only; RBAC via ICurrentUser/IPermissionService):
- Organization, Team, Seat (human/open/ai), WorkItem (board task: type, status, assignee,
  parent) entities; internal OrgBoardDbContext (schema "orgboard") + InitialOrgBoard
  migration; design-time factory. (WorkItem avoids the System.Threading.Tasks.Task clash.)
- Endpoints under /api/orgboard, every mutation permission-checked at the scope chain
  [team, org]: POST /organizations, POST/GET /teams, POST /tasks, GET /board (columns
  backlog->in progress->in review->done), PATCH /tasks/{id}/move, /assign, GET /cartable.

Test isolation: integration tests now use IClassFixture so each class gets its own
pgvector container (the bootstrap-once rule made a shared container collide).

Verified: build green; ArchitectureTests 8/8 (OrgBoard references only SharedKernel);
IntegrationTests 12/12 incl. a new board flow — owner sets up org+team, creates/moves/
assigns a task, sees it on the board and in the cartable; an invited Member can view the
board but is 403'd from creating a team.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/TeamUp.IntegrationTests/IdentityFlowTests.cs

@@ -9,8 +9,7 @@ namespace TeamUp.IntegrationTests;
 /// M1 Identity/access acceptance at the API level: bootstrap the first owner, log in, read /me,
 /// invite a member, accept the invite, and confirm a Member cannot perform an owner-only action.
 /// </summary>
-[Collection(PostgresCollection.Name)]
-public sealed class IdentityFlowTests(PostgresFixture postgres)
+public sealed class IdentityFlowTests(PostgresFixture postgres) : IClassFixture<PostgresFixture>
 {
     private sealed record BootstrapResponse(string Token, Guid MemberId, Guid OrganizationId);