feat: set preferred MFA method from account settings

Adds the ability for users to change their preferred/primary MFA method
when both TOTP and email are available.

Backend:
- Add PUT /auth/mfa/preferred-method endpoint with validation
  (method must be totp/email, MFA must be enabled, TOTP must be
  configured if selecting totp)
- Add totp_configured and email_configured fields to MFA status
  endpoint (totp = has secret + enabled, email = always when enabled)
- Fix setupEmail() to preserve mfa_secret so TOTP config survives
  when email is set up as a second method

Frontend (organizer + portal):
- Add useSetPreferredMethod() composable to useMfa.ts
- Add totp_configured/email_configured to MfaStatus type
- SecurityTab method cards now show "Primaire methode" chip on the
  preferred method and "Als primair instellen" button on the other
- Portal security section shows per-method rows with status chips
  and primary switching

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/routes/api.php

@@ -137,6 +137,7 @@ Route::middleware('auth:sanctum')->group(function () {
     Route::post('auth/mfa/disable', [MfaSetupController::class, 'disable']);
     Route::post('auth/mfa/backup-codes', [MfaSetupController::class, 'regenerateBackupCodes']);
     Route::get('auth/mfa/status', [MfaSetupController::class, 'status']);
+    Route::put('auth/mfa/preferred-method', [MfaSetupController::class, 'setPreferredMethod']);
 
     // Trusted devices
     Route::get('auth/trusted-devices', [TrustedDeviceController::class, 'index']);