refactor: align codebase with EventCrew domain and trim legacy band stack

- Update API: events, users, policies, routes, resources, migrations
- Remove deprecated models/resources (customers, setlists, invitations, etc.)
- Refresh admin app and docs; remove apps/band

Made-with: Cursor

api/tests/Feature/Event/EventTest.php

@@ -0,0 +1,185 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Event;
+
+use App\Models\Event;
+use App\Models\Organisation;
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+class EventTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private User $admin;
+    private User $orgAdmin;
+    private User $outsider;
+    private Organisation $organisation;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+
+        $this->admin = User::factory()->create();
+        $this->admin->assignRole('super_admin');
+
+        $this->organisation = Organisation::factory()->create();
+
+        $this->orgAdmin = User::factory()->create();
+        $this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
+
+        $this->outsider = User::factory()->create();
+    }
+
+    // --- INDEX ---
+
+    public function test_org_admin_can_list_events(): void
+    {
+        Event::factory()->count(3)->create(['organisation_id' => $this->organisation->id]);
+
+        Sanctum::actingAs($this->orgAdmin);
+
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events");
+
+        $response->assertOk();
+        $this->assertCount(3, $response->json('data'));
+    }
+
+    public function test_outsider_cannot_list_events(): void
+    {
+        Sanctum::actingAs($this->outsider);
+
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events");
+
+        $response->assertForbidden();
+    }
+
+    public function test_unauthenticated_user_cannot_list_events(): void
+    {
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events");
+
+        $response->assertUnauthorized();
+    }
+
+    // --- SHOW ---
+
+    public function test_org_admin_can_view_event(): void
+    {
+        $event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
+
+        Sanctum::actingAs($this->orgAdmin);
+
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}");
+
+        $response->assertOk()
+            ->assertJson(['data' => ['id' => $event->id]]);
+    }
+
+    public function test_outsider_cannot_view_event(): void
+    {
+        $event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
+
+        Sanctum::actingAs($this->outsider);
+
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}");
+
+        $response->assertForbidden();
+    }
+
+    // --- STORE ---
+
+    public function test_org_admin_can_create_event(): void
+    {
+        Sanctum::actingAs($this->orgAdmin);
+
+        $response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
+            'name' => 'Summer Festival 2026',
+            'slug' => 'summer-festival-2026',
+            'start_date' => '2026-07-01',
+            'end_date' => '2026-07-03',
+        ]);
+
+        $response->assertCreated()
+            ->assertJson(['data' => ['name' => 'Summer Festival 2026']]);
+
+        $this->assertDatabaseHas('events', [
+            'organisation_id' => $this->organisation->id,
+            'slug' => 'summer-festival-2026',
+        ]);
+    }
+
+    public function test_outsider_cannot_create_event(): void
+    {
+        Sanctum::actingAs($this->outsider);
+
+        $response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
+            'name' => 'Hacked Event',
+            'slug' => 'hacked-event',
+            'start_date' => '2026-07-01',
+            'end_date' => '2026-07-03',
+        ]);
+
+        $response->assertForbidden();
+    }
+
+    public function test_unauthenticated_user_cannot_create_event(): void
+    {
+        $response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events", [
+            'name' => 'Anon Event',
+            'slug' => 'anon-event',
+            'start_date' => '2026-07-01',
+            'end_date' => '2026-07-03',
+        ]);
+
+        $response->assertUnauthorized();
+    }
+
+    // --- UPDATE ---
+
+    public function test_org_admin_can_update_event(): void
+    {
+        $event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
+
+        Sanctum::actingAs($this->orgAdmin);
+
+        $response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
+            'name' => 'Updated Festival',
+        ]);
+
+        $response->assertOk()
+            ->assertJson(['data' => ['name' => 'Updated Festival']]);
+    }
+
+    public function test_outsider_cannot_update_event(): void
+    {
+        $event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
+
+        Sanctum::actingAs($this->outsider);
+
+        $response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}", [
+            'name' => 'Hacked',
+        ]);
+
+        $response->assertForbidden();
+    }
+
+    // --- CROSS-ORG ---
+
+    public function test_event_from_other_org_returns_404(): void
+    {
+        $otherOrg = Organisation::factory()->create();
+        $event = Event::factory()->create(['organisation_id' => $otherOrg->id]);
+
+        Sanctum::actingAs($this->admin);
+
+        $response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$event->id}");
+
+        $response->assertNotFound();
+    }
+}