security: critical fixes (test route, edit authz, nostr signature, calendar IDOR)

- Remove unauthenticated /test route that dispatched FetchNostrProfileJob
  for a hardcoded user (routes/web.php).
- Enforce created_by ownership check in meetup and lecturer Livewire edit
  components; mirror the existing services/edit pattern.
- Replace blind-trust nostrLoggedIn handler with NIP-42-style signed event
  verification: server-issued challenge stored in session, client signs a
  kind:22242 event, server verifies signature via swentel/nostr-php and
  derives npub. Challenge is single-use with 5-minute TTL.
- Validate the ?my[] parameter on the calendar download endpoint as an
  array of integers and intersect with the authenticated user's meetups.

resources/views/livewire/lecturers/edit.blade.php

@@ -45,8 +45,17 @@ class extends Component {
     #[Locked]
     public ?string $updated_at = null;
 
+    protected function authorizeAccess(): void
+    {
+        if (!is_null($this->lecturer->created_by) && auth()->id() !== $this->lecturer->created_by) {
+            abort(403);
+        }
+    }
+
     public function mount(): void
     {
+        $this->authorizeAccess();
+
         $this->lecturer->load('media');
 
         $this->name = $this->lecturer->name ?? '';
@@ -70,6 +79,8 @@ class extends Component {
 
     public function updateLecturer(): void
     {
+        $this->authorizeAccess();
+
         $validated = $this->validate([
             'name' => ['required', 'string', 'max:255', Rule::unique('lecturers')->ignore($this->lecturer->id)],
             'subtitle' => ['nullable', 'string'],