feat(auth): add contexts + platform.is_super_admin to /auth/me, factory role-category states

Additive enrichment to MeResource — existing fields untouched, MeTest stays green.
New fields:
- contexts.available: list<'portal'|'organizer'> derived from Person + Organisation memberships
- contexts.default: precedence super_admin > organizer > portal > fallback portal
- platform.is_super_admin: bool promoted from app_roles
- organisations[].roles: 1-element array form alongside the legacy scalar role,
  forward-compatible for the multi-role pivot work tracked in TECH-PIVOT-ROLES-MULTI

UserFactory gains volunteer(), orgAdmin(), volunteerAndOrganizer(), superAdmin()
state methods — codified role categories for reuse across future workstreams.

Adds forbidden.vue placeholder (PublicLayout) for the context-failure landing in
the upcoming guard rewrite.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

api/tests/Feature/Auth/AuthMeShapeTest.php

@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Auth;
+
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+class AuthMeShapeTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+    }
+
+    public function test_volunteer_only_user_sees_portal_context(): void
+    {
+        $user = User::factory()->volunteer()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonStructure([
+                'data' => [
+                    'platform' => ['is_super_admin'],
+                    'contexts' => ['available', 'default'],
+                ],
+            ])
+            ->assertJsonPath('data.platform.is_super_admin', false)
+            ->assertJsonPath('data.contexts.available', ['portal'])
+            ->assertJsonPath('data.contexts.default', 'portal');
+    }
+
+    public function test_organizer_only_user_sees_organizer_context(): void
+    {
+        $user = User::factory()->orgAdmin()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonPath('data.platform.is_super_admin', false)
+            ->assertJsonPath('data.contexts.available', ['organizer'])
+            ->assertJsonPath('data.contexts.default', 'organizer');
+    }
+
+    public function test_multi_role_user_sees_both_contexts_with_organizer_default(): void
+    {
+        $user = User::factory()->volunteerAndOrganizer()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonPath('data.contexts.available', ['portal', 'organizer'])
+            ->assertJsonPath('data.contexts.default', 'organizer');
+    }
+
+    public function test_super_admin_sees_organizer_context(): void
+    {
+        $user = User::factory()->superAdmin()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonPath('data.platform.is_super_admin', true)
+            ->assertJsonPath('data.contexts.available', ['organizer'])
+            ->assertJsonPath('data.contexts.default', 'organizer');
+    }
+
+    public function test_organisations_emit_roles_array_in_addition_to_scalar_role(): void
+    {
+        $user = User::factory()->orgAdmin()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonPath('data.organisations.0.role', 'org_admin')
+            ->assertJsonPath('data.organisations.0.roles', ['org_admin']);
+    }
+}