feat: add PATCH /plg/onboard/:onboardingId for waitlist bypass

[anshulk-public]

Summary

Adds a PATCH /plg/onboard/:onboardingId endpoint that allows ESEs (Experience Solutions Engineers) to review and bypass waitlisted PLG onboarding records, with a mandatory justification for full audit traceability. Also extends POST /plg/onboard to allow admin callers to onboard on behalf of any IMS org.

Supported bypass scenarios:

• DOMAIN_ALREADY_ONBOARDED_IN_ORG — offboards the previously onboarded domain (sets it INACTIVE) and re-runs the onboarding flow for the new domain
• AEM_SITE_CHECK — ESE provides a rumHost override to satisfy the AEM site check and re-runs the flow
• DOMAIN_ALREADY_ASSIGNED — offboards the conflicting record and runs the flow under the existing org that owns the domain

Other changes:

• All bypass/uphold decisions are recorded in an append-only reviews field on the PlgOnboarding record (reason, decision, reviewedBy, reviewedAt, justification)
• isBypassed() now checks only the most recent review — so bypassing a second block (e.g. DOMAIN_ALREADY_ONBOARDED_IN_ORG) does not silently carry forward an earlier AEM bypass without a rumHost
• Waitlist reason messages now include the conflicting org's IMS org ID and name for easier ESE triage
• Admin callers can now call POST /plg/onboard with an explicit imsOrgId to onboard on behalf of any org
• Updated IT docker-compose to mysticat-data-service:v1.56.0 (migration: reviews JSONB column + INACTIVE enum value)

Test plan

• Unit tests: npx mocha test/controllers/plg/plg-onboarding.test.js — 136 passing
• Integration tests: npx mocha --require test/it/postgres/harness.js --timeout 30000 'test/it/postgres/**/*.test.js' — 25 passing
• Coverage: 100% lines/branches/statements for plg-onboarding.js
• Route snapshot test: npx mocha test/routes/index.test.js — passing
• Manually verify PATCH endpoint with each bypass scenario via admin API key

🤖 Generated with Claude Code

Please ensure your pull request adheres to the following guidelines:

• make sure to link the related issues in this description. Or if there's no issue created, make sure you
  describe here the problem you're solving.
• when merging / squashing, make sure the fixed issue references are visible in the commits, for easy compilation of release notes

If the PR is changing the API specification:

• make sure you add a "Not implemented yet" note the endpoint description, if the implementation is not ready
  yet. Ideally, return a 501 status code with a message explaining the feature is not implemented yet.
• make sure you add at least one example of the request and response.

If the PR is changing the API implementation or an entity exposed through the API:

• make sure you update the API specification and the examples to reflect the changes.

If the PR is introducing a new audit type:

• make sure you update the API specification with the type, schema of the audit result and an example

Related Issues

Thanks for contributing!

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[github-actions]

This PR will trigger a minor release when merged.

[solaris007]

🎉 This PR is included in version 1.426.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀