fix(user): filter out soft-deleted memberships and organizations

Add get_active_memberships() method to User model that filters out
soft-deleted memberships and memberships of deleted organizations.
Update all usages of organization_memberships to use this method,
ensuring consistent handling of soft-deleted records across the
codebase. Also add deleted_at filters to CA queries in SSH helpers.

gatehouse_app/api/v1/ssh/_helpers.py

@@ -14,13 +14,17 @@ _logger = logging.getLogger(__name__)
 def _get_org_ca_for_user(user, ca_type: str = "user"):
     try:
         from gatehouse_app.models.ssh_ca.ca import CA, CaType
-        org_ids = [m.organization_id for m in user.organization_memberships]
+        
+        org_ids = [m.organization_id for m in user.get_active_memberships()]
+        
         if not org_ids:
             return None
+            
         return CA.query.filter(
             CA.organization_id.in_(org_ids),
             CA.ca_type == CaType(ca_type),
-            CA.is_active == True,  # noqa: E712
+            CA.is_active == True,
+            CA.deleted_at.is_(None),
         ).first()
     except Exception:
         return None
@@ -34,7 +38,7 @@ def _get_or_create_system_ca():
     import os
 
     try:
-        existing = CA.query.filter_by(name="system-config-ca").first()
+        existing = CA.query.filter_by(name="system-config-ca", deleted_at=None).first()
         if existing:
             return existing
 
@@ -60,7 +64,7 @@ def _get_or_create_system_ca():
 
         fingerprint = compute_ssh_fingerprint(pub_key)
 
-        existing_by_fp = CA.query.filter_by(fingerprint=fingerprint).first()
+        existing_by_fp = CA.query.filter_by(fingerprint=fingerprint, deleted_at=None).first()
         if existing_by_fp:
             return existing_by_fp