security: critical fixes (test route, edit authz, nostr signature, calendar IDOR)

- Remove unauthenticated /test route that dispatched FetchNostrProfileJob
  for a hardcoded user (routes/web.php).
- Enforce created_by ownership check in meetup and lecturer Livewire edit
  components; mirror the existing services/edit pattern.
- Replace blind-trust nostrLoggedIn handler with NIP-42-style signed event
  verification: server-issued challenge stored in session, client signs a
  kind:22242 event, server verifies signature via swentel/nostr-php and
  derives npub. Challenge is single-use with 5-minute TTL.
- Validate the ?my[] parameter on the calendar download endpoint as an
  array of integers and intersect with the authenticated user's meetups.

resources/views/livewire/meetups/edit.blade.php

@@ -83,8 +83,17 @@ class extends Component {
         \Flux\Flux::modal('add-city')->close();
     }
 
+    protected function authorizeAccess(): void
+    {
+        if (!is_null($this->meetup->created_by) && auth()->id() !== $this->meetup->created_by) {
+            abort(403);
+        }
+    }
+
     public function mount(): void
     {
+        $this->authorizeAccess();
+
         $this->meetup->load('media');
 
         // Basic Information
@@ -117,6 +126,8 @@ class extends Component {
 
     public function updateMeetup(): void
     {
+        $this->authorizeAccess();
+
         $validated = $this->validate([
             'name' => ['required', 'string', 'max:255', Rule::unique('meetups')->ignore($this->meetup->id)],
             'city_id' => ['nullable', 'exists:cities,id'],