feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices

Three verification methods (TOTP authenticator, email code, backup codes),
trusted device management with 30-day expiry, role-based enforcement for
super_admin and org_admin, admin reset capability, and full test coverage
(46 tests). Modifies login flow to support MFA challenge/response with
temporary session tokens stored in cache.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/Admin/AdminUserController.php

@@ -8,7 +8,9 @@ use App\Http\Controllers\Controller;
 use App\Http\Requests\Admin\AdminUpdateUserRequest;
 use App\Http\Resources\Admin\AdminUserResource;
 use App\Models\User;
+use App\Services\MfaService;
 use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
 use Illuminate\Http\Resources\Json\AnonymousResourceCollection;
 
 final class AdminUserController extends Controller
@@ -87,4 +89,15 @@ final class AdminUserController extends Controller
 
         return response()->json(null, 204);
     }
+
+    public function resetMfa(Request $request, User $user, MfaService $mfaService): JsonResponse
+    {
+        if (! $user->mfa_enabled) {
+            return $this->error('MFA is niet ingeschakeld voor deze gebruiker.', 422);
+        }
+
+        $mfaService->adminReset($request->user(), $user);
+
+        return $this->success(null, 'MFA reset for user');
+    }
 }