Patch fixes:
  - fix(auth): populate AuthUser.org alongside organizationId (id-vnd).
    Closes a parity gap with auth-verifier; consumers reading user.org
    on tokens verified by id.org.ai now get the org id rather than
    undefined.

Worker-side feature (no SDK surface change):
  - feat(auth): requireScope / requireAllScopes Hono middleware
    (id-0jb). Routes can declaratively gate on scopes carried by the
    broker-resolved Identity. Per-route adoption deliberately deferred.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>