fix(teams): add organization scope to membership operations

[pedroccastro]

What does this PR do?

Adds organization scope validation to the removeMember handler when PBAC is disabled. Org admin operations now verify that target teams belong to the admin's organization before proceeding.

Changes

Layer	File(s)	Change
Interface	IRemoveMemberService.ts	Add organizationId to context
Handler	removeMember.handler.ts	Pass organization context to service
Service	LegacyRemoveMemberService.ts	Validate team ownership before granting permission
Tests	removeMember.handler.test.ts	Update tests for new context fields

Technical Details

New validation in LegacyRemoveMemberService.checkRemovePermissions():

// Verify all target teams belong to admin's organization
const teams = await prisma.team.findMany({
  where: {
    id: { in: teamIds },
    OR: [{ id: organizationId }, { parentId: organizationId }],
  },
});

How should this be tested?

1. As org admin, remove member from own team → should work
2. As org admin, remove member from own org → should work
3. As org admin, attempt to remove member from unrelated team → should return UNAUTHORIZED
4. As non-admin with OWNER/ADMIN role, remove member → should work (existing flow)

Mandatory Tasks

• I have self-reviewed the code.
• N/A I have updated the developer docs in /docs if this PR makes changes that would require a documentation change
• I confirm automated tests are in place that prove my fix is effective or that my feature works.

[github-actions]

E2E results are ready!

• Workflow #99895.1 latest results

[cubic-dev-ai]

No issues found across 5 files