feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config

Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/admin/auto-imports.d.ts

@@ -6,13 +6,14 @@
 // biome-ignore lint: disable
 export {}
 declare global {
-  const $api: typeof import('./src/utils/api')['$api']
+  const $api: typeof import('./src/lib/axios')['$api']
   const COOKIE_MAX_AGE_1_YEAR: typeof import('./src/utils/constants')['COOKIE_MAX_AGE_1_YEAR']
   const CreateUrl: typeof import('./src/@core/composable/CreateUrl')['CreateUrl']
   const EffectScope: typeof import('vue')['EffectScope']
   const acceptHMRUpdate: typeof import('pinia')['acceptHMRUpdate']
   const alphaDashValidator: typeof import('./src/@core/utils/validators')['alphaDashValidator']
   const alphaValidator: typeof import('./src/@core/utils/validators')['alphaValidator']
+  const apiClient: typeof import('./src/lib/axios')['apiClient']
   const asyncComputed: typeof import('@vueuse/core')['asyncComputed']
   const autoResetRef: typeof import('@vueuse/core')['autoResetRef']
   const avatarText: typeof import('./src/@core/utils/formatters')['avatarText']
@@ -378,12 +379,13 @@ import { UnwrapRef } from 'vue'
 declare module 'vue' {
   interface GlobalComponents {}
   interface ComponentCustomProperties {
-    readonly $api: UnwrapRef<typeof import('./src/utils/api')['$api']>
+    readonly $api: UnwrapRef<typeof import('./src/lib/axios')['$api']>
     readonly COOKIE_MAX_AGE_1_YEAR: UnwrapRef<typeof import('./src/utils/constants')['COOKIE_MAX_AGE_1_YEAR']>
     readonly EffectScope: UnwrapRef<typeof import('vue')['EffectScope']>
     readonly acceptHMRUpdate: UnwrapRef<typeof import('pinia')['acceptHMRUpdate']>
     readonly alphaDashValidator: UnwrapRef<typeof import('./src/@core/utils/validators')['alphaDashValidator']>
     readonly alphaValidator: UnwrapRef<typeof import('./src/@core/utils/validators')['alphaValidator']>
+    readonly apiClient: UnwrapRef<typeof import('./src/lib/axios')['apiClient']>
     readonly asyncComputed: UnwrapRef<typeof import('@vueuse/core')['asyncComputed']>
     readonly autoResetRef: UnwrapRef<typeof import('@vueuse/core')['autoResetRef']>
     readonly avatarText: UnwrapRef<typeof import('./src/@core/utils/formatters')['avatarText']>

apps/admin/src/composables/useEvents.ts

@@ -1,5 +1,5 @@
 import { computed, ref } from 'vue'
-import { apiClient } from '@/lib/api-client'
+import { apiClient } from '@/lib/axios'
 import { useCurrentOrganisationId } from '@/composables/useOrganisationContext'
 import type { ApiResponse, CreateEventData, Event, Pagination, UpdateEventData } from '@/types/events'
 

apps/admin/src/lib/axios.ts

@@ -1,12 +1,7 @@
 import axios from 'axios'
 import { parse } from 'cookie-es'
-import type { AxiosInstance, InternalAxiosRequestConfig } from 'axios'
+import type { AxiosInstance, AxiosRequestConfig, InternalAxiosRequestConfig } from 'axios'
 
-/**
- * Single axios instance for the real Laravel API (VITE_API_URL).
- * Auth: Bearer token from cookie 'accessToken' (set by login).
- * Use this for all Crewli API calls; useApi (composables/useApi) stays for Vuexy demo/mock endpoints.
- */
 const apiClient: AxiosInstance = axios.create({
   baseURL: import.meta.env.VITE_API_URL,
   headers: {
@@ -57,7 +52,6 @@ apiClient.interceptors.response.use(
     }
 
     if (error.response?.status === 401) {
-      // Clear auth cookies (align with utils/api.ts / login flow)
       document.cookie = 'accessToken=; path=/; max-age=0'
       document.cookie = 'userData=; path=/; max-age=0'
       document.cookie = 'userAbilityRules=; path=/; max-age=0'
@@ -70,4 +64,42 @@ apiClient.interceptors.response.use(
   },
 )
 
+type ApiOptions = {
+  method?: string
+  body?: unknown
+  query?: Record<string, string | number | boolean | undefined>
+  onResponseError?: (ctx: { response: { status: number; _data?: { errors?: Record<string, string[]>; message?: string } } }) => void
+}
+
+/**
+ * Thin ofetch-style wrapper kept for Vuexy template compatibility.
+ * Prefer apiClient directly in new Crewli code.
+ */
+export async function $api<T = unknown>(url: string, options: ApiOptions = {}): Promise<T> {
+  const { method = 'GET', body, query, onResponseError } = options
+
+  const config: AxiosRequestConfig = {
+    method: method.toLowerCase() as AxiosRequestConfig['method'],
+    url,
+    params: query,
+    data: body,
+  }
+
+  try {
+    const response = await apiClient.request<T>(config)
+    return response.data
+  }
+  catch (error: any) {
+    if (onResponseError && error.response) {
+      onResponseError({
+        response: {
+          status: error.response.status,
+          _data: error.response.data,
+        },
+      })
+    }
+    throw error
+  }
+}
+
 export { apiClient }

apps/admin/src/lib/query-client.ts

@@ -0,0 +1,12 @@
+import type { VueQueryPluginOptions } from '@tanstack/vue-query'
+
+export const queryClientConfig: VueQueryPluginOptions = {
+  queryClientConfig: {
+    defaultOptions: {
+      queries: {
+        staleTime: 1000 * 60 * 5, // 5 minutes
+        retry: 1,
+      },
+    },
+  },
+}

apps/admin/src/main.ts

@@ -1,5 +1,6 @@
 import { createApp } from 'vue'
 import { VueQueryPlugin } from '@tanstack/vue-query'
+import { queryClientConfig } from '@/lib/query-client'
 
 import App from '@/App.vue'
 import { registerPlugins } from '@core/utils/plugins'
@@ -18,13 +19,7 @@ app.config.errorHandler = (err, instance, info) => {
 }
 
 // Register plugins
-app.use(VueQueryPlugin, {
-  queryClientConfig: {
-    defaultOptions: {
-      queries: { staleTime: 1000 * 60 * 5, retry: 1 },
-    },
-  },
-})
+app.use(VueQueryPlugin, queryClientConfig)
 
 try {
   registerPlugins(app)

apps/admin/src/utils/api.ts

@@ -1,40 +0,0 @@
-import type { AxiosRequestConfig } from 'axios'
-import { apiClient } from '@/lib/api-client'
-
-type ApiOptions = {
-  method?: string
-  body?: unknown
-  query?: Record<string, string | number | boolean | undefined>
-  onResponseError?: (ctx: { response: { status: number; _data?: { errors?: Record<string, string[]>; message?: string } } }) => void
-}
-
-/**
- * Thin ofetch-style wrapper around the single axios client (lib/axios).
- * Use apiClient from @/lib/axios directly in new code; $api remains for Vuexy template compatibility.
- */
-export async function $api<T = unknown>(url: string, options: ApiOptions = {}): Promise<T> {
-  const { method = 'GET', body, query, onResponseError } = options
-
-  const config: AxiosRequestConfig = {
-    method: method.toLowerCase() as AxiosRequestConfig['method'],
-    url,
-    params: query,
-    data: body,
-  }
-
-  try {
-    const response = await apiClient.request<T>(config)
-    return response.data
-  }
-  catch (error: any) {
-    if (onResponseError && error.response) {
-      onResponseError({
-        response: {
-          status: error.response.status,
-          _data: error.response.data,
-        },
-      })
-    }
-    throw error
-  }
-}

apps/admin/vite.config.ts

@@ -73,6 +73,7 @@ export default defineConfig({
         './src/@core/composable/',
         './src/composables/',
         './src/utils/',
+        './src/lib/',
         './src/plugins/*/composables/*',
       ],
       vueTemplate: true,