feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices

Three verification methods (TOTP authenticator, email code, backup codes),
trusted device management with 30-day expiry, role-based enforcement for
super_admin and org_admin, admin reset capability, and full test coverage
(46 tests). Modifies login flow to support MFA challenge/response with
temporary session tokens stored in cache.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Resources/Api/V1/MeResource.php

@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Resources\Api\V1;
 
 use App\Models\Person;
+use App\Services\MfaService;
 use Illuminate\Http\Request;
 use Illuminate\Http\Resources\Json\JsonResource;
 
@@ -45,6 +46,12 @@ final class MeResource extends JsonResource
                     'end_date' => $person->event->end_date?->toDateString(),
                 ])
             ),
+            'mfa' => [
+                'enabled' => $this->mfa_enabled,
+                'method' => $this->mfa_method,
+                'confirmed_at' => $this->mfa_confirmed_at?->toIso8601String(),
+                'setup_required' => app(MfaService::class)->isMfaRequired($this->resource) && ! $this->mfa_enabled,
+            ],
         ];
     }
 }

api/app/Http/Resources/Api/V1/TrustedDeviceResource.php

@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Resources\Api\V1;
+
+use Illuminate\Http\Request;
+use Illuminate\Http\Resources\Json\JsonResource;
+
+final class TrustedDeviceResource extends JsonResource
+{
+    public function toArray(Request $request): array
+    {
+        return [
+            'id' => $this->id,
+            'device_name' => $this->device_name,
+            'ip_address' => $this->ip_address,
+            'trusted_until' => $this->trusted_until->toIso8601String(),
+            'last_used_at' => $this->last_used_at?->toIso8601String(),
+            'created_at' => $this->created_at->toIso8601String(),
+        ];
+    }
+}