feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config

Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/admin/auto-imports.d.ts

@@ -6,13 +6,14 @@
 // biome-ignore lint: disable
 export {}
 declare global {
-  const $api: typeof import('./src/utils/api')['$api']
+  const $api: typeof import('./src/lib/axios')['$api']
   const COOKIE_MAX_AGE_1_YEAR: typeof import('./src/utils/constants')['COOKIE_MAX_AGE_1_YEAR']
   const CreateUrl: typeof import('./src/@core/composable/CreateUrl')['CreateUrl']
   const EffectScope: typeof import('vue')['EffectScope']
   const acceptHMRUpdate: typeof import('pinia')['acceptHMRUpdate']
   const alphaDashValidator: typeof import('./src/@core/utils/validators')['alphaDashValidator']
   const alphaValidator: typeof import('./src/@core/utils/validators')['alphaValidator']
+  const apiClient: typeof import('./src/lib/axios')['apiClient']
   const asyncComputed: typeof import('@vueuse/core')['asyncComputed']
   const autoResetRef: typeof import('@vueuse/core')['autoResetRef']
   const avatarText: typeof import('./src/@core/utils/formatters')['avatarText']
@@ -378,12 +379,13 @@ import { UnwrapRef } from 'vue'
 declare module 'vue' {
   interface GlobalComponents {}
   interface ComponentCustomProperties {
-    readonly $api: UnwrapRef<typeof import('./src/utils/api')['$api']>
+    readonly $api: UnwrapRef<typeof import('./src/lib/axios')['$api']>
     readonly COOKIE_MAX_AGE_1_YEAR: UnwrapRef<typeof import('./src/utils/constants')['COOKIE_MAX_AGE_1_YEAR']>
     readonly EffectScope: UnwrapRef<typeof import('vue')['EffectScope']>
     readonly acceptHMRUpdate: UnwrapRef<typeof import('pinia')['acceptHMRUpdate']>
     readonly alphaDashValidator: UnwrapRef<typeof import('./src/@core/utils/validators')['alphaDashValidator']>
     readonly alphaValidator: UnwrapRef<typeof import('./src/@core/utils/validators')['alphaValidator']>
+    readonly apiClient: UnwrapRef<typeof import('./src/lib/axios')['apiClient']>
     readonly asyncComputed: UnwrapRef<typeof import('@vueuse/core')['asyncComputed']>
     readonly autoResetRef: UnwrapRef<typeof import('@vueuse/core')['autoResetRef']>
     readonly avatarText: UnwrapRef<typeof import('./src/@core/utils/formatters')['avatarText']>

apps/admin/src/composables/useEvents.ts

@@ -1,5 +1,5 @@
 import { computed, ref } from 'vue'
-import { apiClient } from '@/lib/api-client'
+import { apiClient } from '@/lib/axios'
 import { useCurrentOrganisationId } from '@/composables/useOrganisationContext'
 import type { ApiResponse, CreateEventData, Event, Pagination, UpdateEventData } from '@/types/events'
 

apps/admin/src/lib/axios.ts

@@ -1,12 +1,7 @@
 import axios from 'axios'
 import { parse } from 'cookie-es'
-import type { AxiosInstance, InternalAxiosRequestConfig } from 'axios'
+import type { AxiosInstance, AxiosRequestConfig, InternalAxiosRequestConfig } from 'axios'
 
-/**
- * Single axios instance for the real Laravel API (VITE_API_URL).
- * Auth: Bearer token from cookie 'accessToken' (set by login).
- * Use this for all Crewli API calls; useApi (composables/useApi) stays for Vuexy demo/mock endpoints.
- */
 const apiClient: AxiosInstance = axios.create({
   baseURL: import.meta.env.VITE_API_URL,
   headers: {
@@ -57,7 +52,6 @@ apiClient.interceptors.response.use(
     }
 
     if (error.response?.status === 401) {
-      // Clear auth cookies (align with utils/api.ts / login flow)
       document.cookie = 'accessToken=; path=/; max-age=0'
       document.cookie = 'userData=; path=/; max-age=0'
       document.cookie = 'userAbilityRules=; path=/; max-age=0'
@@ -70,4 +64,42 @@ apiClient.interceptors.response.use(
   },
 )
 
+type ApiOptions = {
+  method?: string
+  body?: unknown
+  query?: Record<string, string | number | boolean | undefined>
+  onResponseError?: (ctx: { response: { status: number; _data?: { errors?: Record<string, string[]>; message?: string } } }) => void
+}
+
+/**
+ * Thin ofetch-style wrapper kept for Vuexy template compatibility.
+ * Prefer apiClient directly in new Crewli code.
+ */
+export async function $api<T = unknown>(url: string, options: ApiOptions = {}): Promise<T> {
+  const { method = 'GET', body, query, onResponseError } = options
+
+  const config: AxiosRequestConfig = {
+    method: method.toLowerCase() as AxiosRequestConfig['method'],
+    url,
+    params: query,
+    data: body,
+  }
+
+  try {
+    const response = await apiClient.request<T>(config)
+    return response.data
+  }
+  catch (error: any) {
+    if (onResponseError && error.response) {
+      onResponseError({
+        response: {
+          status: error.response.status,
+          _data: error.response.data,
+        },
+      })
+    }
+    throw error
+  }
+}
+
 export { apiClient }

apps/admin/src/lib/query-client.ts

@@ -0,0 +1,12 @@
+import type { VueQueryPluginOptions } from '@tanstack/vue-query'
+
+export const queryClientConfig: VueQueryPluginOptions = {
+  queryClientConfig: {
+    defaultOptions: {
+      queries: {
+        staleTime: 1000 * 60 * 5, // 5 minutes
+        retry: 1,
+      },
+    },
+  },
+}

apps/admin/src/main.ts

@@ -1,5 +1,6 @@
 import { createApp } from 'vue'
 import { VueQueryPlugin } from '@tanstack/vue-query'
+import { queryClientConfig } from '@/lib/query-client'
 
 import App from '@/App.vue'
 import { registerPlugins } from '@core/utils/plugins'
@@ -18,13 +19,7 @@ app.config.errorHandler = (err, instance, info) => {
 }
 
 // Register plugins
-app.use(VueQueryPlugin, {
-  queryClientConfig: {
-    defaultOptions: {
-      queries: { staleTime: 1000 * 60 * 5, retry: 1 },
-    },
-  },
-})
+app.use(VueQueryPlugin, queryClientConfig)
 
 try {
   registerPlugins(app)

apps/admin/src/utils/api.ts

@@ -1,40 +0,0 @@
-import type { AxiosRequestConfig } from 'axios'
-import { apiClient } from '@/lib/api-client'
-
-type ApiOptions = {
-  method?: string
-  body?: unknown
-  query?: Record<string, string | number | boolean | undefined>
-  onResponseError?: (ctx: { response: { status: number; _data?: { errors?: Record<string, string[]>; message?: string } } }) => void
-}
-
-/**
- * Thin ofetch-style wrapper around the single axios client (lib/axios).
- * Use apiClient from @/lib/axios directly in new code; $api remains for Vuexy template compatibility.
- */
-export async function $api<T = unknown>(url: string, options: ApiOptions = {}): Promise<T> {
-  const { method = 'GET', body, query, onResponseError } = options
-
-  const config: AxiosRequestConfig = {
-    method: method.toLowerCase() as AxiosRequestConfig['method'],
-    url,
-    params: query,
-    data: body,
-  }
-
-  try {
-    const response = await apiClient.request<T>(config)
-    return response.data
-  }
-  catch (error: any) {
-    if (onResponseError && error.response) {
-      onResponseError({
-        response: {
-          status: error.response.status,
-          _data: error.response.data,
-        },
-      })
-    }
-    throw error
-  }
-}

apps/admin/vite.config.ts

@@ -73,6 +73,7 @@ export default defineConfig({
         './src/@core/composable/',
         './src/composables/',
         './src/utils/',
+        './src/lib/',
         './src/plugins/*/composables/*',
       ],
       vueTemplate: true,

apps/app/src/composables/useEvents.ts

@@ -1,5 +1,5 @@
 import { computed, ref } from 'vue'
-import { apiClient } from '@/lib/api-client'
+import { apiClient } from '@/lib/axios'
 import { useCurrentOrganisationId } from '@/composables/useOrganisationContext'
 import type { ApiResponse, Event, Pagination } from '@/types/events'
 

apps/app/src/lib/axios.ts

@@ -2,11 +2,6 @@ import axios from 'axios'
 import { parse } from 'cookie-es'
 import type { AxiosInstance, InternalAxiosRequestConfig } from 'axios'
 
-/**
- * Single axios instance for the Laravel API (`VITE_API_URL`, e.g. …/api/v1).
- * Auth: Bearer token from cookie `accessToken` (set by login).
- * Use composables built on this client for real API calls; Vuexy `useApi` remains for demos/mocks.
- */
 const apiClient: AxiosInstance = axios.create({
   baseURL: import.meta.env.VITE_API_URL,
   headers: {

apps/app/src/lib/query-client.ts

@@ -0,0 +1,12 @@
+import type { VueQueryPluginOptions } from '@tanstack/vue-query'
+
+export const queryClientConfig: VueQueryPluginOptions = {
+  queryClientConfig: {
+    defaultOptions: {
+      queries: {
+        staleTime: 1000 * 60 * 5, // 5 minutes
+        retry: 1,
+      },
+    },
+  },
+}

apps/app/src/main.ts

@@ -1,5 +1,6 @@
 import { createApp } from 'vue'
 import { VueQueryPlugin } from '@tanstack/vue-query'
+import { queryClientConfig } from '@/lib/query-client'
 
 import App from '@/App.vue'
 import { registerPlugins } from '@core/utils/plugins'
@@ -14,13 +15,7 @@ const app = createApp(App)
 // Register plugins
 registerPlugins(app)
 
-app.use(VueQueryPlugin, {
-  queryClientConfig: {
-    defaultOptions: {
-      queries: { staleTime: 1000 * 60 * 5, retry: 1 },
-    },
-  },
-})
+app.use(VueQueryPlugin, queryClientConfig)
 
 // Mount vue app
 app.mount('#app')

apps/app/src/pages/login.vue

@@ -10,7 +10,7 @@ import authV2MaskDark from '@images/pages/misc-mask-dark.png'
 import authV2MaskLight from '@images/pages/misc-mask-light.png'
 import { VNodeRenderer } from '@layouts/components/VNodeRenderer'
 import { themeConfig } from '@themeConfig'
-import { apiClient } from '@/lib/api-client'
+import { apiClient } from '@/lib/axios'
 import { emailValidator, requiredValidator } from '@core/utils/validators'
 
 definePage({
@@ -54,7 +54,7 @@ async function handleLogin() {
     })
 
     if (data.success && data.data) {
-      // Store token in cookie (api-client reads from accessToken cookie)
+      // Store token in cookie (axios interceptor reads from accessToken cookie)
       document.cookie = `accessToken=${data.data.token}; path=/`
 
       // Store user data in cookie if needed

apps/portal/auto-imports.d.ts

@@ -375,7 +375,6 @@ import { UnwrapRef } from 'vue'
 declare module 'vue' {
   interface GlobalComponents {}
   interface ComponentCustomProperties {
-    readonly $api: UnwrapRef<typeof import('./src/utils/api')['$api']>
     readonly COOKIE_MAX_AGE_1_YEAR: UnwrapRef<typeof import('./src/utils/constants')['COOKIE_MAX_AGE_1_YEAR']>
     readonly EffectScope: UnwrapRef<typeof import('vue')['EffectScope']>
     readonly acceptHMRUpdate: UnwrapRef<typeof import('pinia')['acceptHMRUpdate']>
@@ -527,7 +526,6 @@ declare module 'vue' {
     readonly useAbs: UnwrapRef<typeof import('@vueuse/math')['useAbs']>
     readonly useActiveElement: UnwrapRef<typeof import('@vueuse/core')['useActiveElement']>
     readonly useAnimate: UnwrapRef<typeof import('@vueuse/core')['useAnimate']>
-    readonly useApi: UnwrapRef<typeof import('./src/composables/useApi')['useApi']>
     readonly useArrayDifference: UnwrapRef<typeof import('@vueuse/core')['useArrayDifference']>
     readonly useArrayEvery: UnwrapRef<typeof import('@vueuse/core')['useArrayEvery']>
     readonly useArrayFilter: UnwrapRef<typeof import('@vueuse/core')['useArrayFilter']>

apps/portal/src/lib/query-client.ts

@@ -0,0 +1,12 @@
+import type { VueQueryPluginOptions } from '@tanstack/vue-query'
+
+export const queryClientConfig: VueQueryPluginOptions = {
+  queryClientConfig: {
+    defaultOptions: {
+      queries: {
+        staleTime: 1000 * 60 * 5, // 5 minutes
+        retry: 1,
+      },
+    },
+  },
+}

apps/portal/src/main.ts

@@ -1,5 +1,6 @@
 import { createApp } from 'vue'
 import { VueQueryPlugin } from '@tanstack/vue-query'
+import { queryClientConfig } from '@/lib/query-client'
 
 import App from '@/App.vue'
 import { registerPlugins } from '@core/utils/plugins'
@@ -14,13 +15,7 @@ const app = createApp(App)
 // Register plugins
 registerPlugins(app)
 
-app.use(VueQueryPlugin, {
-  queryClientConfig: {
-    defaultOptions: {
-      queries: { staleTime: 1000 * 60 * 5, retry: 1 },
-    },
-  },
-})
+app.use(VueQueryPlugin, queryClientConfig)
 
 // Mount vue app
 app.mount('#app')