Resolves Issue # 1846: Org PUT response masking

[afoote-mitre]

Closes Issue #1846

Summary

This MR masks stale registry org fields from GET responses so old document shapes do not get returned to clients, while preserving valid response fields and underscore-prefixed response extension fields.

Important Changes

src/repositories/baseOrgRepository.js

• Added a schema-based org response mask for registry org responses.
• Removes fields that are not part of the current response schema, including stale nested fields like old program_data paths.
• Preserves valid response fields such as created, last_updated, users, admins, reports_to, and conversation.
• Preserves underscore-prefixed response extension fields like _relatedOrganizations without adding them to response schemas.
• Continues excluding internal fields like _id, __v, and __t.

src/controller/registry-org.controller/registry-org.controller.js

• Keeps conversation hydration for org GET/list/update responses while relying on the repository mask for stale schema cleanup.

src/controller/registry-user.controller/registry-user.controller.js

• Uses unmasked internal org lookups for admin role hydration.

src/repositories/baseUserRepository.js

• Preserves admin membership when moving a user between orgs.

test/integration-tests/registry-org/registryOrgCRUDTest.js

• Added coverage for stale org schema fields being removed from GET responses.
• Verifies valid response fields are preserved.
• Verifies conversations are still returned with non-secretariat author field stripping.
• Verifies relationship metadata, including _relatedOrganizations, is preserved.

Testing

Steps to manually test updated functionality, if possible

• Run bash -i -c "npm run test:integration".

[jdalphond-mitre]

I think this is too restrictive.

The response from the get still needs to have
created, last_updated, users, _relatedOrganizations, etc.

Those things exist in the schema. The point is to remove things that are NOT in the schema.

[afoote-mitre]

I think this is too restrictive.

The response from the get still needs to have created, last_updated, users, _relatedOrganizations, etc.

Those things exist in the schema. The point is to remove things that are NOT in the schema.

@david-rocca we will want to chat about this one further