feat(ssh): add multi-organization support for certificate signing

Add support for users who belong to multiple organizations to select
which organization's CA should sign their SSH certificates.

Changes:
- CLI: Add --org-id and --list-orgs options for organization selection
- API: Return MULTIPLE_ORGS_AMBIGUOUS error when org selection needed
- API: Add /users/me/organizations/simple endpoint for CLI org listing
- DB: Add organization_id to certificate_audit_logs for better tracking
- Include organization_name in certificate response for clarity

tests/integration/client/ssh.py

@@ -78,6 +78,7 @@ class SshClient:
         principals: list[str] | None = None,
         cert_type: str = "user",
         expiry_hours: int | None = None,
+        organization_id: str | None = None,
     ) -> dict:
         """Request an SSH user certificate.
 
@@ -86,6 +87,7 @@ class SshClient:
             principals: Optional list of requested principals.
             cert_type: "user" or "host".
             expiry_hours: Optional custom expiry within policy.
+            organization_id: Optional organization ID to specify which org's CA to use.
         """
         payload: dict = {"cert_type": cert_type}
         if key_id:
@@ -94,6 +96,8 @@ class SshClient:
             payload["principals"] = principals
         if expiry_hours:
             payload["expiry_hours"] = expiry_hours
+        if organization_id:
+            payload["organization_id"] = organization_id
         logger.info(f"[SshClient] Signing certificate — type={cert_type}")
         return self._client.post("/ssh/sign", data=payload)