security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Requests/Api/V1/BulkConfirmIdentityMatchesRequest.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Requests\Api\V1;
 
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 
 final class BulkConfirmIdentityMatchesRequest extends FormRequest
 {
@@ -16,9 +17,22 @@ final class BulkConfirmIdentityMatchesRequest extends FormRequest
     /** @return array<string, mixed> */
     public function rules(): array
     {
+        $organisation = $this->route('organisation');
+
         return [
             'match_ids' => ['required', 'array', 'min:1', 'max:100'],
-            'match_ids.*' => ['required', 'string', 'exists:person_identity_matches,id'],
+            'match_ids.*' => [
+                'required', 'string',
+                Rule::exists('person_identity_matches', 'id')->where(function ($query) use ($organisation) {
+                    $query->whereIn('person_id', function ($q) use ($organisation) {
+                        $q->select('id')->from('persons')
+                            ->whereIn('event_id', function ($q2) use ($organisation) {
+                                $q2->select('id')->from('events')
+                                    ->where('organisation_id', $organisation->id);
+                            });
+                    });
+                }),
+            ],
         ];
     }
 }