Add organization scope to chats and chat files

[johnstcn]

Context

Chats (ResourceChat) are currently user-scoped only. The Chat.RBACObject() returns ResourceChat.WithOwner(ownerID) without any .InOrg(). However, ChatFile.RBACObject() does use .InOrg(orgID), creating an inconsistency.

This came up during coder/coder#23724 (adding a chat-access site-wide role). Several reviewers noted:

• OrgMemberPermissions and OrgServiceAccountPermissions grant wildcard chat permissions at org scope via allPermsExcept, but since chats aren't org-scoped this is effectively a no-op for chat creation.
• Once chats become org-scoped, ResourceChat should be excluded from OrgMemberPermissions and OrgServiceAccountPermissions allPermsExcept calls so the chat-access role properly gates access.
• ChatFile authorization should align with its parent chat's authorization model.

Work needed

• Add organization scope to Chat.RBACObject() (.InOrg(orgID))
• Exclude ResourceChat from OrgMemberPermissions and OrgServiceAccountPermissions allPermsExcept calls
• Decide whether chat-access needs org-level permissions or if the role should remain site-scoped
• Align ChatFile authorization with the parent chat (either both org-scoped or both user-scoped)
• Update RBAC test matrix with org-member test subjects for chat resources
• Update ChatFileUsage test case (removed in #23724 pending this work)

References

• PR: feat: add chat-access site-wide role to gate chat creation coder#23724
• Review comment (P1 OrgMember finding): feat: add chat-access site-wide role to gate chat creation coder#23724 (comment)