security: round 2 — multi-tenancy isolation (OrganisationScope, scoped validation, boundary checks)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Requests/Api/V1/SyncVolunteerAvailabilityRequest.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Requests\Api\V1;
 
 use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
 
 final class SyncVolunteerAvailabilityRequest extends FormRequest
 {
@@ -16,9 +17,20 @@ final class SyncVolunteerAvailabilityRequest extends FormRequest
     /** @return array<string, mixed> */
     public function rules(): array
     {
+        $event = $this->route('event');
+        $eventIds = [$event->id];
+        if ($event->parent_event_id) {
+            $eventIds[] = $event->parent_event_id;
+        } elseif ($event->isFestival()) {
+            $eventIds = array_merge($eventIds, $event->children()->pluck('id')->all());
+        }
+
         return [
             'availabilities' => ['required', 'array'],
-            'availabilities.*.time_slot_id' => ['required', 'ulid', 'exists:time_slots,id'],
+            'availabilities.*.time_slot_id' => [
+                'required', 'ulid',
+                Rule::exists('time_slots', 'id')->whereIn('event_id', $eventIds),
+            ],
             'availabilities.*.preference_level' => ['sometimes', 'integer', 'min:1', 'max:5'],
         ];
     }