✨ Implement leadership-based permissions for Meetup management

- 🔒 Restrict event creation, editing, and deletion to Meetup leaders (`is_leader`) and creators for consistency across APIs, frontend, and MCP.
- ➕ Add new APIs for leader delegation: assign/remove Meetup leaders via `meetup_user.is_leader`.
- 🛠️ Replace loose member checks with specific leadership checks in policies, controllers, and views.
- 🧪 Add exhaustive tests to ensure only eligible leaders execute critical actions (e.g., event creation/edit, Meetup updates).
- 🔄 Refactor pivot relationships and models (`leadByMe`, `isLeader`) for explicit leadership handling.
- ✨ Introduce artisan command `meetups:promote-existing-leaders` to transition legacy data.

app/Http/Controllers/Api/MeetupLeaderController.php

@@ -0,0 +1,98 @@
+<?php
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Api\StoreMeetupLeaderRequest;
+use App\Models\Meetup;
+use App\Models\User;
+use App\Support\NostrLogin;
+use Dedoc\Scramble\Attributes\Group;
+use Dedoc\Scramble\Attributes\Response;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Gate;
+use Symfony\Component\HttpFoundation\Response as HttpResponse;
+
+/**
+ * Leader-Delegation für Meetups: ein bestehender Leader (bzw. Ersteller/
+ * Super-Admin) verwaltet die Leader eines Meetups (meetup_user.is_leader).
+ * Leader dürfen die Stammdaten bearbeiten — siehe MeetupPolicy::update().
+ */
+#[Group(name: 'Meetups', weight: 3)]
+class MeetupLeaderController extends Controller
+{
+    /**
+     * Leader auflisten
+     *
+     * Liefert alle Leader eines Meetups (id, name, nostr, avatar, is_creator).
+     * Nur für Leader des Meetups sichtbar.
+     */
+    #[Response(status: 403, description: 'Nur ein Leader darf die Leader-Liste sehen.')]
+    public function index(Meetup $meetup): JsonResponse
+    {
+        Gate::authorize('manageLeaders', $meetup);
+
+        return response()->json(['data' => $this->leaders($meetup)]);
+    }
+
+    /**
+     * Leader einsetzen
+     *
+     * Setzt den Nutzer mit dem angegebenen npub als Leader ein. Existiert noch
+     * kein Account für den npub, wird er angelegt (greift, sobald die Person sich
+     * erstmals einloggt). Idempotent: ein bereits gesetzter Leader bleibt Leader.
+     */
+    #[Response(status: 403, description: 'Nur ein Leader darf weitere Leader einsetzen.')]
+    #[Response(status: 422, description: 'Ungültiger npub.')]
+    public function store(StoreMeetupLeaderRequest $request, Meetup $meetup): JsonResponse
+    {
+        $user = NostrLogin::findOrCreateUser($request->string('npub')->toString());
+
+        $meetup->users()->syncWithoutDetaching([
+            $user->getKey() => ['is_leader' => true],
+        ]);
+
+        return response()->json(['data' => $this->leaders($meetup)], HttpResponse::HTTP_CREATED);
+    }
+
+    /**
+     * Leader entziehen
+     *
+     * Entzieht dem Nutzer die Leader-Rolle für dieses Meetup (Demote: bleibt
+     * Mitglied in „Meine Meetups", darf aber nicht mehr bearbeiten). Der
+     * Ersteller des Meetups kann nie entzogen werden.
+     */
+    #[Response(status: 403, description: 'Nur ein Leader darf entziehen; der Ersteller ist geschützt.')]
+    public function destroy(Meetup $meetup, User $user): JsonResponse
+    {
+        Gate::authorize('manageLeaders', $meetup);
+
+        abort_if($user->getKey() === $meetup->created_by, HttpResponse::HTTP_FORBIDDEN, __('Der Ersteller des Meetups kann nicht entzogen werden.'));
+
+        $meetup->users()->updateExistingPivot($user->getKey(), ['is_leader' => false]);
+
+        return response()->json(['data' => $this->leaders($meetup)]);
+    }
+
+    /**
+     * Leader-Liste als flaches Array (Ersteller zuerst).
+     *
+     * @return array<int, array<string, mixed>>
+     */
+    private function leaders(Meetup $meetup): array
+    {
+        return $meetup->users()
+            ->wherePivot('is_leader', true)
+            ->get()
+            ->map(fn (User $user): array => [
+                'id' => $user->getKey(),
+                'name' => $user->name,
+                'nostr' => $user->nostr,
+                'avatar' => $user->profile_photo_url,
+                'is_creator' => $user->getKey() === $meetup->created_by,
+            ])
+            ->sortByDesc('is_creator')
+            ->values()
+            ->all();
+    }
+}