feat: add organization and member management APIs for admin and internal use

docs/FRONTEND_API_CONTRACT.md

@@ -2,13 +2,21 @@
 
 Base URL：`https://memberapi.ose.tw`
 
-## 0. 帳號密碼登入
-### POST `/auth/login`
+## 0. OIDC 登入（目前主流程）
+### GET `/auth/oidc/url?redirect_uri=<frontend-callback-url>`
+200 Response:
+```json
+{
+  "authorize_url": "https://auth.ose.tw/application/o/authorize/..."
+}
+```
+
+### POST `/auth/oidc/exchange`
 Request:
 ```json
 {
-  "username": "your-authentik-username",
-  "password": "your-password"
+  "code": "authorization-code",
+  "redirect_uri": "http://localhost:5173/auth/callback"
 }
 ```
 
@@ -22,11 +30,6 @@ Request:
 }
 ```
 
-401 Response:
-```json
-{ "detail": "invalid_username_or_password" }
-```
-
 ## 1. 使用者資訊
 ### GET `/me`
 Headers:
@@ -134,7 +137,89 @@ Request:
 { "status": "ok" }
 ```
 
-## 6. 常見錯誤碼
+## 6. 組織管理（admin）
+### GET `/admin/organizations`
+Headers:
+- `X-Client-Key: <client_key>`
+- `X-API-Key: <plain_api_key>`
+
+Query:
+- `keyword` (optional)
+- `status` (optional: `active|inactive`)
+- `limit` (default `50`)
+- `offset` (default `0`)
+
+### POST `/admin/organizations`
+```json
+{
+  "org_code": "ose-main",
+  "name": "Ose Main",
+  "tax_id": "12345678",
+  "status": "active"
+}
+```
+
+### PATCH `/admin/organizations/{org_id}`
+```json
+{
+  "name": "Ose Main Updated",
+  "status": "inactive"
+}
+```
+
+### POST `/admin/organizations/{org_id}/activate`
+### POST `/admin/organizations/{org_id}/deactivate`
+
+## 7. 會員管理（admin）
+### GET `/admin/members`
+Headers:
+- `X-Client-Key: <client_key>`
+- `X-API-Key: <plain_api_key>`
+
+Query:
+- `keyword` (optional)
+- `is_active` (optional: `true|false`)
+- `limit` (default `50`)
+- `offset` (default `0`)
+
+### POST `/admin/members`
+```json
+{
+  "authentik_sub": "authentik-sub-123",
+  "email": "user@example.com",
+  "display_name": "User Name",
+  "is_active": true
+}
+```
+
+### PATCH `/admin/members/{member_id}`
+```json
+{
+  "display_name": "New Name",
+  "is_active": false
+}
+```
+
+### POST `/admin/members/{member_id}/activate`
+### POST `/admin/members/{member_id}/deactivate`
+
+## 8. 會員/組織關聯（admin）
+### GET `/admin/members/{member_id}/organizations`
+### POST `/admin/members/{member_id}/organizations/{org_id}`
+### DELETE `/admin/members/{member_id}/organizations/{org_id}`
+
+## 9. 系統對系統查詢（internal）
+Headers:
+- `X-Internal-Secret: <internal_shared_secret>`
+
+Endpoints:
+- `GET /internal/members`
+- `GET /internal/members/by-sub/{authentik_sub}`
+- `GET /internal/organizations`
+- `GET /internal/organizations/by-code/{org_code}`
+- `GET /internal/members/{member_id}/organizations`
+
+## 10. 常見錯誤碼
 - `401 invalid_client`
 - `401 invalid_api_key`
 - `401 client_expired`