fix: merge global + org-scoped token scopes in OrgResolver

Vendor's platform:admin scope comes from a global Logto role, which is
only present in the non-org-scoped token. OrgResolver now fetches both
the global token and the org-scoped token, merging their scopes. This
ensures vendor users see platform:admin and land on the vendor console.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/src/auth/OrgResolver.tsx

@@ -66,12 +66,21 @@ export function OrgResolver({ children }: { children?: React.ReactNode }) {
       };
 
       try {
-        const token = await (currentOrgId
+        // Always fetch the global (non-org) token — it contains global role scopes
-          ? getAccessToken(config.logtoResource, currentOrgId)
+        // like platform:admin from the saas-vendor role.
-          : getAccessToken(config.logtoResource)
+        const globalToken = await getAccessToken(config.logtoResource).catch(() => undefined);
-        ).catch(() => undefined);
+        const globalScopes = extractScopes(globalToken);
 
-        setScopes(new Set(extractScopes(token)));
+        // If an org is selected, also fetch org-scoped token for org-level scopes
+        // (tenant:manage, apps:manage, etc.)
+        let orgScopes: string[] = [];
+        if (currentOrgId) {
+          const orgToken = await getAccessToken(config.logtoResource, currentOrgId).catch(() => undefined);
+          orgScopes = extractScopes(orgToken);
+        }
+
+        // Merge both scope sets
+        setScopes(new Set([...globalScopes, ...orgScopes]));
       } catch {
         setScopes(new Set());
       }