docs(org): pre-stage A5 living-docs for merged core+server+CLI-admin (item-CRUD/extension TODO)

Pre-stages the A5 living-docs sweep for the already-merged A (relicario-core org
module) + C (relicario-server pre-receive hook) + CLI admin/rotate/status-audit
work, so the final A5 sweep (after Dev-B B9-B14 merges) is fast.

Adds org sections to docs/FORMATS.md (org repo wire formats + wrapped-key blob
layout), docs/CRYPTO.md (ECIES X25519 wrap/unwrap, no-Argon2id contrast, rotate
re-encryption), docs/SECURITY.md (signature-verifying hook, owner-only elevation,
audit vocabulary, honest limitations), DESIGN.md (org-master-key secrets row +
server org mode + deps), core/cli ARCHITECTURE.md (org module + org_session), and
an Unreleased CHANGELOG entry.

B item-CRUD (org add/get/list/edit/rm/restore/purge + main.rs wiring) and extension
parity are left as explicit TODO. STATUS/ROADMAP mark-shipped and
extension/ARCHITECTURE are deferred to the full A5 (track not yet landed; Dev-D
deferred). All cited code constants pinned with file:line per living-docs discipline.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01TJo44YM3UbBjro2fG6NrKy

CHANGELOG.md

@@ -1,5 +1,39 @@
 # Changelog
 
+## Unreleased — enterprise org vault (in progress)
+
+Git-native multi-user **org vaults**: a separate org git repository alongside each
+member's personal vault, with a 256-bit org master key ECIES-wrapped per member to
+their ed25519 device key, collection-scoped item storage, role-based access, and a
+signature-verifying pre-receive hook that makes least-privilege server-enforced.
+Tracked under `docs/superpowers/plans/2026-06-06-enterprise-org-vault.md`. Entries
+below cover the **already-merged** core (A) + server (C) + CLI admin work; item CRUD
+and extension parity land subsequently.
+
+### Added
+- **relicario-core `org` module** (`crates/relicario-core/src/org.rs`): org types
+  (`OrgId`, `MemberId`, `OrgRole`, `OrgMember`/`OrgMembers`, `CollectionDef`/
+  `OrgCollections`, `OrgMeta`, `OrgManifest`/`OrgManifestEntry`) and ECIES X25519
+  key wrap/unwrap (`generate_org_key`, `wrap_org_key`, `unwrap_org_key`) — ed25519→
+  X25519 via RFC 7748 clamp, domain-separated `SHA-256(dh || eph_pk || rcpt_pk)` KDF,
+  XChaCha20-Poly1305 inner cipher, all key material in `Zeroizing`. Adds
+  `encrypt_org_manifest` / `decrypt_org_manifest` vault wrappers. New dependency
+  `x25519-dalek 2` (`static_secrets`).
+- **relicario-server org mode**: `verify-org-commit` (signature verification against
+  `members.json`, path-scoped role/grant authorization, owner-only elevation judged
+  on the signer's pre-commit role, schema-version monotonicity) and
+  `generate-org-hook`; new `[lib]` target (`classify_path`, `extract_schema_version`).
+- **relicario-cli org admin commands**: `org init`, `add-member` / `remove-member` /
+  `set-role` (owner-only escalation guard), `create-collection` / `grant` / `revoke`,
+  `rotate-key` (re-encrypts every item blob + manifest under a fresh key),
+  `status` / `audit` (verified-signer attribution + `TAMPERED` flag). Org commits are
+  signed (`org_git_run` preserves signing). New `ssh-key` dependency in the CLI.
+
+### TODO (pending merge)
+- CLI item CRUD: `org add` / `get` / `list` / `edit` / `rm` / `restore` / `purge`,
+  and the final `Commands::Org` wiring in `main.rs` (Dev-B B9–B14).
+- Extension org switch + read-only browse parity (Dev-D follow-up).
+
 ## v0.7.0 — 2026-06-01
 
 Completes the extension restructure (Plan C) begun under v0.6.0. Phases