Assume organization when loading org layout

[codenem]

Closes ENG-134

TODO

• auto assume when navigating /organizations/:organizationId links.
  • do it for employee pages too
• handle assume errors from authorizer: redirect
• remember URL before redirecting to login / assume
• Sign in with password: Reuse existing root session and assume
• rename -path to -url for redirect and after assume
• Check openchildsessioon methods for appropriate renaming and return values
• organizationId might be guessed from redirect-path instead of being passed as a search param too
• rename useAssume to useEnsureAssuming

---

Summary by cubic

Auto-assumes an organization session on org and employee routes; errors redirect to login or a dedicated assume page with the original URL preserved. SAML flows still redirect to the IdP. (ENG-134)

• New Features

  • Added /organizations/:organizationId/assume; OrganizationErrorBoundary routes ASSUMPTION_REQUIRED there with organization-id and redirect-path; RootErrorBoundary routes UNAUTHENTICATED to /auth/login with redirect-path.
  • Password sign-in accepts organizationId and redirect-path; reuses or replaces the root session and opens a password child session when provided; AssumePage handles redirects (PasswordRequired -> /auth/password-login, SAMLAuthenticationRequired -> IdP) and returns to the saved path; expired child sessions are ignored.

• Refactors

  • Removed the useAssume hook; assumption logic lives in AssumePage. MembershipCard now only links to the org; removed its assume mutation and unused mutation fields.
  • Replaced AuthenticationRequired with AssumptionRequired across GraphQL/Relay; simplified PageError; added RootErrorBoundary and OrganizationErrorBoundary; removed org param from OpenSessionWithSAML; split password auth into CheckCredentials and OpenSessionWithPassword; added OpenPasswordChildSessionForOrganization; removed an unused session lookup method.

^{Written for commit f7664b5. Summary will update on new commits.}