Resolves Issue #1715, Add expanded user map to registry org response

[afoote-mitre]

Closes Issue #1715

Summary

Adds optional expanded user metadata to the single registry organization response via expand=users, reducing the need for clients to fetch all orgs/users just to resolve UUIDs in org views.

This also fixes a conversation author-name edge case where Secretariat users with populated name.first and/or name.last could show their personal name in conversation responses. Secretariat-authored conversations now consistently use author_name: "Secretariat" on create and on read, including previously stored conversation records.

Important Changes

src/controller/registry-org.controller/registry-org.controller.js

• Adds _userMap hydration when expand=users is requested.
• Builds the map from org users, admins, defensive contact_info.additional_contacts, and visible conversation author_ids.
• Limits expanded UUID/user metadata exposure based on requester role:
  • Secretariat can see the full relevant map.
  • Org admins can expand users for orgs they administrate.
  • Regular non-Secretariat users do not receive _userMap.
• Strips user UUID exposure from non-Secretariat org responses.

src/repositories/conversationRepository.js

• Normalizes Secretariat-authored conversations to author_name: "Secretariat".
• Applies normalization when creating new conversations.
• Applies normalization when returning existing stored conversations through getAll() and getAllByTargetUUID().
• Preserves existing behavior that strips Secretariat author_id and author_name for non-Secretariat readers.

src/controller/org.controller/index.js

• Allows expand=users on GET /api/registry/org/{identifier}.
• Documents the new query parameter in Swagger annotations.

src/controller/org.controller/org.middleware.js

• Maps the expand query parameter into req.ctx.query.

src/repositories/baseUserRepository.js

• Adds batch lookup for users by UUID.

src/repositories/baseOrgRepository.js

• Adds batch lookup for orgs containing user UUIDs.

schemas/registry-org/get-registry-org-response.json

• Documents the _userMap response object.

api-docs/openapi.json

• Adds expand query parameter documentation for the registry org lookup endpoint.

test/unit-tests/org/registryOrgGetSingleTest.js

• Adds unit coverage for default response behavior, expand=users, role-based _userMap access, and UUID stripping.

test/unit-tests/conversation/conversationRepositoryTest.js

• Adds unit coverage ensuring Secretariat author names are always normalized to "Secretariat".
• Verifies partner-authored conversations still use the user full name.
• Verifies stored Secretariat author names are normalized on read.
• Verifies non-Secretariat readers still do not receive Secretariat author fields.

test/integration-tests/registry-org/registryOrgCRUDTest.js

• Adds integration coverage for expanded user metadata on a registry org response.
• Adds coverage for UUID exposure controls across Secretariat, org admin, and regular user reads.
• Adds coverage for the named-Secretariat edge case in registry org conversation responses.

test/integration-tests/conversation/conversationTest.js

• Updates expected Secretariat author display from "Unknown User" to "Secretariat".
• Adds coverage using a Secretariat user with populated first/last name to ensure personal names are not exposed.

Testing

Steps to manually test updated functionality:

• 1) Call GET /api/registry/org/{shortname} and verify _userMap is not present.
• 2) Call GET /api/registry/org/{shortname}?expand=users as Secretariat and verify _userMap is present.
• 3) Call GET /api/registry/org/{shortname}?expand=users as an admin of that org and verify _userMap is present only for users in that org.
• 4) Call GET /api/registry/org/{shortname}?expand=users as a regular non-Secretariat user and verify _userMap is not present.
• 5) Post a public conversation as a Secretariat user with populated first/last name and verify author_name is "Secretariat".
• 6) Fetch the org conversation through GET /api/registry/org/{shortname} and verify Secretariat-authored comments show author_name: "Secretariat" for Secretariat readers.
• 7) Fetch the same org as a non-Secretariat user and verify Secretariat author_id and author_name are not exposed.
• 8) Call GET /api/registry/org/{shortname}?expand=invalid and verify the request is rejected.

Recommended automated tests:

• bash -i -c "npm run test:unit-tests"
• bash -i -c "npm run test:integration"

Notes

• _userMap is returned as an object keyed by UUID.
• contact_info.additional_contacts is handled defensively, but it is not currently modeled as a first-class registry org schema field.
• Existing stored Secretariat conversations are normalized at response time, so this does not require a data migration.

[jdalphond-mitre]

I have tested this and it correctly does not return secretariat users as an org admin.
It does return the secretariat users as a secretariat.