security: critical fixes (test route, edit authz, nostr signature, calendar IDOR)

- Remove unauthenticated /test route that dispatched FetchNostrProfileJob
  for a hardcoded user (routes/web.php).
- Enforce created_by ownership check in meetup and lecturer Livewire edit
  components; mirror the existing services/edit pattern.
- Replace blind-trust nostrLoggedIn handler with NIP-42-style signed event
  verification: server-issued challenge stored in session, client signs a
  kind:22242 event, server verifies signature via swentel/nostr-php and
  derives npub. Challenge is single-use with 5-minute TTL.
- Validate the ?my[] parameter on the calendar download endpoint as an
  array of integers and intersect with the authenticated user's meetups.

app/Http/Controllers/DownloadMeetupCalendar.php

@@ -29,7 +29,17 @@ class DownloadMeetupCalendar extends Controller
             $events = $meetup->meetupEvents()->where('start', '>=', now())->get();
             $image = $meetup->getFirstMediaUrl('logo');
         } elseif ($request->has('my')) {
-            $ids = $request->input('my');
+            $validated = $request->validate([
+                'my' => ['required', 'array'],
+                'my.*' => ['integer'],
+            ]);
+
+            $ids = $validated['my'];
+            if (auth()->check()) {
+                $ownedIds = auth()->user()->meetups->pluck('id')->all();
+                $ids = array_values(array_intersect($ids, $ownedIds));
+            }
+
             $events = MeetupEvent::query()
                 ->with([
                     'meetup',