Resolves #1862: Fix org and audit API response handling

[afoote-mitre]

Closes Issue #1862

Summary

Fixes response behavior for org and audit endpoints, including clearer non-admin registry org update errors, sanitized legacy org UUID responses, and empty audit history responses for missing orgs. Also updates the OpenAPI server URL.

Important Changes

src/controller/registry-org.controller/registry-org.controller.js

• Split auth failures for registry org updates.
• Same-org non-admin users now receive NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE.

src/repositories/baseOrgRepository.js
src/repositories/orgRepository.js

• Passed projection through legacy UUID org lookup.
• Prevents Mongo/internal fields from leaking in GET /api/org/:uuid.

src/controller/audit.controller/audit.controller.js

• Returns 200 [] when audit history is requested for a missing org.

api-docs/openapi.json

• Updated server URL to https://cveawg-dev.mitre.org/api.

test/integration-tests/...

• Added regression coverage for registry org update auth, legacy org UUID sanitization, and missing-org audit lookups.

Testing

Not run by Codex.

Steps to manually test updated functionality:

• 1. Run bash -i -c "npm run test:integration".
• 2. Verify same-org non-admin PUT /api/registry/org/:shortname returns 403 with NOT_ORG_ADMIN_OR_SECRETARIAT_UPDATE.
• 3. Verify GET /api/org/:uuid does not return _id, __v, __t, inUse, or in_use.
• 4. Verify GET /api/audit/org/:missing_identifier returns 200 and [].