fix: validate organization group project associations

[officialasishkumar]

General Checklist

• Affected Issues have been mentioned in the Closing issues section
• Documentation has been written/updated, or is not required for this bug fix
• PR title is ready for inclusion in changelog

Database Migrations

• This PR does not contain a database migration

Description

checkOrgProjectGroup only compared a group's project IDs against the target organization's project IDs when the organization already had at least one project. That made the empty-organization error branch unreachable and allowed getGroupProjectOrganizationAssociation / addExistingGroupToOrganization to accept a group that already referenced projects outside the requested organization.

This updates the validation to run whenever the group has project associations. Groups are now rejected when any associated project is not part of the target organization, including the case where the target organization has no projects. A focused resolver test covers the empty organization rejection, the non-empty organization mismatch, and the matching-project success case.

Validation performed:

• yarn --cwd node-packages/commons build
• yarn --cwd services/api jest --forceExit --detectOpenHandles organization.test.ts
• yarn --cwd services/api build
• ./node_modules/.bin/prettier --check services/api/src/resources/organization/organization.test.ts
• git diff --check

I also ran yarn --cwd services/api jest --forceExit --detectOpenHandles; the new organization test passes, but the broader local suite still fails on unrelated existing issues: stale SQL snapshots in notification/environment tests, missing src/resources/sshKey/index, and a node-fetch ESM parse failure through advancedtasktoolbox.

Closing issues

Closes #4081