security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/CrowdListController.php

@@ -78,7 +78,8 @@ final class CrowdListController extends Controller
     {
         Gate::authorize('managePerson', [$crowdList, $event]);
 
-        $person = Person::findOrFail($request->validated('person_id'));
+        $festivalEventId = $event->parent_event_id ?? $event->id;
+        $person = Person::where('event_id', $festivalEventId)->findOrFail($request->validated('person_id'));
 
         $this->crowdListService->addPerson($crowdList, $person, $request->user());