fix(auth): extract tenant_id from organization_ids JWT claim

The JWT contains organization_ids (array) not organization_id (singular).
This was causing the workers endpoint to use fallback "taskflow-default-org-id"
which SSO rejected with 401.

Now extracts first organization from organization_ids array as tenant.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: mjunaidca

apps/api/src/taskflow_api/auth.py

@@ -220,9 +220,14 @@ def __init__(self, payload: dict[str, Any]) -> None:
         self.name: str = payload.get("name", "")
         self.role: str = payload.get("role", "user")
         # Extract tenant from multiple possible JWT claims
+        # organization_ids is an array, take the first one as active tenant
+        org_ids = payload.get("organization_ids") or []
         self.tenant_id: str | None = (
-            payload.get("tenant_id") or payload.get("organization_id") or None
+            payload.get("tenant_id")
+            or payload.get("organization_id")
+            or (org_ids[0] if org_ids else None)
         )
+        self.organization_ids: list[str] = org_ids if isinstance(org_ids, list) else []
         # OAuth client identity for audit trail (e.g., "@user via Claude Code")
         self.client_id: str | None = payload.get("client_id")
         self.client_name: str | None = payload.get("client_name")
@@ -272,7 +277,8 @@ async def list_projects(user: CurrentUser = Depends(get_current_user)):
         try:
             payload = await verify_jwt(token)
             user = CurrentUser(payload)
-            logger.info("[AUTH] Authenticated via JWT: %s", user)
+            logger.info("[AUTH] Authenticated via JWT: %s, tenant_id=%s, org_ids=%s",
+                       user, user.tenant_id, user.organization_ids)
             return user
         except HTTPException:
             # JWT validation failed, try opaque as fallback