Add E2E test for non-org-member app deletion authorization

[jalexw]

Summary

Adds comprehensive E2E test coverage for the app deletion authorization check that prevents non-organization members from deleting apps, even when authenticated.

Changes

• New test file: tests/e2e-auth-tests/cypress/e2e/apps/NonOrgMemberCannotDeleteApp.cy.ts

  • Tests that DELETE /api/apps/:app_id returns 403 when the authenticated caller is neither a global admin nor a member of the app's owner organization
  • Verifies the authorization check in auth-server/src/app/api/apps/[app_id]/DELETE_app_handler.ts that validates isUserInOrganizationWithRole(..., "owner")
  • Creates a test organization and app as a superuser, then attempts deletion as an unrelated regular user
  • Validates both the HTTP status code (403) and response body (success: false, message includes "owner")

• Version bump: tests/e2e-auth-tests/package.json (0.4.4 → 0.4.5)

Implementation Details

• Fills a critical gap in authorization test coverage: the authenticated-non-owner branch is the most common authorization path a real caller would hit
• Complements existing coverage:
  • Unauthenticated (401) case covered by misc/UnauthenticatedApiRequests.cy.ts
  • Hardcoded-app protection covered by resource_management/HardcodedResourceDeletionProtection.cy.ts
• Uses existing Cypress helpers for test setup (superuser login, organization creation, app creation, regular user creation)
• Properly isolates test data with random codes to avoid conflicts

https://claude.ai/code/session_013GmrB4yjJDNFVmm7oTjTFW