feat: consolidate frontend API layer, add query-client, and harden backend Fase 1

Frontend:
- Consolidate duplicate API layers into single src/lib/axios.ts per app
- Remove src/lib/api-client.ts and src/utils/api.ts (admin)
- Add src/lib/query-client.ts with TanStack Query config per app
- Update all imports and auto-import config

Backend:
- Fix organisations.billing_status default to 'trial'
- Fix user_invitations.invited_by_user_id to nullOnDelete
- Add MeResource with separated app_roles and pivot-based org roles
- Add cross-org check to EventPolicy view() and update()
- Restrict EventPolicy create/update to org_admin/event_manager (not org_member)
- Attach creator as org_admin on organisation store
- Add query scopes to Event and UserInvitation models
- Improve factories with Dutch test data
- Expand test suite from 29 to 41 tests (90 assertions)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/app/src/pages/login.vue

@@ -10,7 +10,7 @@ import authV2MaskDark from '@images/pages/misc-mask-dark.png'
 import authV2MaskLight from '@images/pages/misc-mask-light.png'
 import { VNodeRenderer } from '@layouts/components/VNodeRenderer'
 import { themeConfig } from '@themeConfig'
-import { apiClient } from '@/lib/api-client'
+import { apiClient } from '@/lib/axios'
 import { emailValidator, requiredValidator } from '@core/utils/validators'
 
 definePage({
@@ -54,7 +54,7 @@ async function handleLogin() {
     })
 
     if (data.success && data.data) {
-      // Store token in cookie (api-client reads from accessToken cookie)
+      // Store token in cookie (axios interceptor reads from accessToken cookie)
       document.cookie = `accessToken=${data.data.token}; path=/`
 
       // Store user data in cookie if needed