feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config

Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/EventController.php

@@ -29,9 +29,7 @@ final class EventController extends Controller
 
     public function show(Organisation $organisation, Event $event): JsonResponse
     {
-        Gate::authorize('view', $event);
-
-        abort_unless($event->organisation_id === $organisation->id, 404);
+        Gate::authorize('view', [$event, $organisation]);
 
         return $this->success(new EventResource($event->load('organisation')));
     }
@@ -47,9 +45,7 @@ final class EventController extends Controller
 
     public function update(UpdateEventRequest $request, Organisation $organisation, Event $event): JsonResponse
     {
-        Gate::authorize('update', $event);
-
-        abort_unless($event->organisation_id === $organisation->id, 404);
+        Gate::authorize('update', [$event, $organisation]);
 
         $event->update($request->validated());