Clean up organization memberships when users are deleted

[scotwells]

Summary

• Adds a finalizer to the UserController that deletes all OrganizationMemberships referencing a user before allowing the User object to be removed
• Extends the OrganizationMembership validation webhook to allow last-owner membership deletion when the referenced User is being deleted (verified via direct API server read, not cache)
• Fixes the Organization webhook and UserInvitation controller to set correct User ownerReferences on OrganizationMemberships
• Adds a two-pass self-delete in the OrganizationMembership controller for existing orphaned memberships where the User no longer exists

Context

When a User was deleted, OrganizationMembership resources referencing that user were not cleaned up because they had no User ownerReference (webhook creation path) or had a malformed one (invitation path used .Group instead of .String() for APIVersion). The orphaned memberships left their owned PolicyBindings stuck in SubjectValidationFailed state.

Closes #536

Test plan

• Webhook tests verify deletion is allowed when User has DeletionTimestamp
• Webhook tests verify deletion is allowed when User is already gone
• Webhook tests verify last-owner guard still blocks when User is active
• All existing unit tests pass
• Chainsaw e2e test validates full lifecycle: create user + org → verify membership → delete user → verify cleanup
• e2e test passes in CI

Note

The CI workflow reports a failure due to pre-existing e2e test issues on main (note-multicluster-subject, clusternote-multicluster-subject, crm-note-contact-lifecycle). These are unrelated to this PR and are being resolved in #549.

🤖 Generated with Claude Code

[joggrbot]

📝 Documentation Analysis

All docs are up to date! 🎉

---

✅ Latest commit analyzed: 485ee94 | Powered by Joggr