Add E2E test for rejecting 'admin' role in org member updates

[jalexw]

Summary

Adds comprehensive E2E test coverage for the guard that prevents setting organization members to the "admin" role, which is a virtual role reserved only for the system organization.

Changes

• New test file: RoleUpdateRejectsAdminRole.cy.ts
  • Tests that PATCH /api/organizations/:organization_id/members/:uid/role returns 400 when attempting to set a member's role to "admin"
  • Verifies the rejection happens before any database update occurs
  • Confirms the member's role remains unchanged after the rejected request
  • Covers the previously untested edge case where a global admin or org owner could attempt to elevate a member to the virtual "admin" role

Implementation Details

The test:

1. Creates a test organization and logs in as the owner
2. Retrieves the owner's uid from the members list
3. Attempts to set the owner's role to "admin" via PATCH request
4. Verifies the request fails with 400 status and an appropriate error message
5. Confirms the member's role is still "owner" in the database (no state change)
6. Cleans up the test organization

This addresses a gap in E2E coverage for the PATCH_member_role_handler guard that explicitly rejects new_role === "admin" to prevent bypassing the org-scoped owner/member access model.

https://claude.ai/code/session_01K51yFj2uDF87LbGLJACWro