adjust endpoints user, organizations

[nicole-gomes]

Summary

This PR expands and hardens the backend/ FastAPI API for organization, user, and organization-member management. It adds CRUD coverage and soft-delete behavior, enforces user email uniqueness and organization document uniqueness with normalization, introduces temporary organization membership role rules, improves validation and error handling, and updates backend documentation and tests to reflect the current business rules.

Motivation

This solves the need to formalize the first backend registration and organization-management rules for PondiFarm, especially around data integrity, soft delete behavior, and temporary organization membership rules while the final permissions model is still being defined.

Closes #

Type of change

• feat — new user-visible feature
• fix — bug fix
• perf — performance improvement
• refactor — code change without behaviour change
• docs — documentation only
• test — tests only
• build / ci — build system or CI changes
• chore — other maintenance
• security — security-related change
• Breaking change (explain below)

Scope of change

• mobile/ — Expo / React Native
• backend/ — FastAPI service
• .github/ — CI, templates, governance
• root / documentation

How was this tested?

• Linted (expo lint, ruff)
• Type-checked (tsc --noEmit, mypy where applicable)
• Smoke-tested locally
• Not testable in isolation — explain below

Manual and automated validation performed:

• Ran py -m compileall backend
• Ran py -m unittest discover tests
• Exercised backend endpoints locally via Swagger/OpenAPI
• Verified organization creation, user creation, organization membership creation, soft delete flows, duplicate checks, and validation behavior

Screenshots or recordings

N/A — backend/API-only changes.

Checklist

• My commits follow the Conventional Commits format.
• I updated the relevant README or documentation.
• I did not add any secret, key, or production credential.
• If I added a large binary asset, it is tracked by Git LFS.
• I tagged the appropriate reviewers from CODEOWNERS.

Notes for the reviewer

• Soft delete is implemented for organizations, users, and organization_members using deleted_at.
• Normal API reads ignore soft-deleted records.
• User email uniqueness is enforced case-insensitively at the application layer, with database uniqueness expected to remain aligned.
• Organization documentNumber is now required, normalized, and currently validated using Portuguese NIF rules.
• Organization membership role is temporarily constrained to viewer only until the final permission model is defined.
• Azure SQL schema changes still need to be applied with the provided SQL scripts so the database constraints/defaults match the backend rules.