security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Requests/Api/V1/StoreShiftRequest.php

@@ -28,7 +28,7 @@ final class StoreShiftRequest extends FormRequest
 
                 $query->whereIn('event_id', $eventIds);
             })],
-            'location_id' => ['nullable', 'ulid', 'exists:locations,id'],
+            'location_id' => ['nullable', 'ulid', Rule::exists('locations', 'id')->where('event_id', $this->route('event')->id)],
             'title' => ['nullable', 'string', 'max:255'],
             'description' => ['nullable', 'string'],
             'instructions' => ['nullable', 'string'],