security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Requests/Api/V1/BulkApproveShiftAssignmentRequest.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Requests\Api\V1;
 
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 
 final class BulkApproveShiftAssignmentRequest extends FormRequest
 {
@@ -16,9 +17,22 @@ final class BulkApproveShiftAssignmentRequest extends FormRequest
     /** @return array<string, mixed> */
     public function rules(): array
     {
+        $event = $this->route('event');
+
         return [
             'assignment_ids' => ['required', 'array', 'min:1', 'max:100'],
-            'assignment_ids.*' => ['required', 'ulid', 'exists:shift_assignments,id'],
+            'assignment_ids.*' => [
+                'required', 'ulid',
+                Rule::exists('shift_assignments', 'id')->where(function ($query) use ($event) {
+                    $query->whereIn('shift_id', function ($q) use ($event) {
+                        $q->select('id')->from('shifts')
+                            ->whereIn('festival_section_id', function ($q2) use ($event) {
+                                $q2->select('id')->from('festival_sections')
+                                    ->where('event_id', $event->id);
+                            });
+                    });
+                }),
+            ],
         ];
     }
 }