Test the org-match logic in verifySiteAccess:
- Same org: allowed
- Cross-org: rejected with 403
- No prior org context (site-only routes): check skipped, normal flow
Test route stack ordering:
- verifySiteAccess runs after verifyResourceAccess/verifyTargetAccess
- verifySiteAccess runs before the target create/update handler
Test security scenarios for both WireGuard and newt site types.
Signed-off-by: Marc Schäfer <git@marcschaeferger.de>
