feat(coderd): add organizations.default_org_member_roles for Gateway Accounts

Adds the column that drives per-org Gateway Accounts behavior. Effective
roles for an org member at request time are now the union of
organization_members.roles and organizations.default_org_member_roles,
so changes to the org default propagate to every member on the next
request. The deployment-wide default is
'organization-workspace-access', matching today's effective behavior.

The PATCH organization handler accepts the new field but rejects
deviations from the deployment default unless the
minimum-implicit-member experiment is enabled. The experiment constant
ships in this PR so the write-gating has something to check; the floor
shrink behavior lands in a follow-up.

Refs #25936. Stacks on #25929.

coderd/database/dump.sql

@@ -2372,11 +2372,14 @@ CREATE TABLE organizations (
     display_name text NOT NULL,
     icon text DEFAULT ''::text NOT NULL,
     deleted boolean DEFAULT false NOT NULL,
-    shareable_workspace_owners shareable_workspace_owners DEFAULT 'everyone'::shareable_workspace_owners NOT NULL
+    shareable_workspace_owners shareable_workspace_owners DEFAULT 'everyone'::shareable_workspace_owners NOT NULL,
+    default_org_member_roles text[] NOT NULL
 );
 
 COMMENT ON COLUMN organizations.shareable_workspace_owners IS 'Controls whose workspaces can be shared: none, everyone, or service_accounts.';
 
+COMMENT ON COLUMN organizations.default_org_member_roles IS 'Roles granted to every member of this organization at request time. The set is unioned into each member''s effective roles when GetAuthorizationUserRoles runs, so changes propagate to all members on the next request. Deployments can use this column to revoke capabilities that would otherwise be considered normal organization member permissions.';
+
 CREATE TABLE parameter_schemas (
     id uuid NOT NULL,
     created_at timestamp with time zone NOT NULL,