fix(events): enforce series-pass, hidden, and deadline gates

Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md
(Findings 1, 2, 3).

1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now
   loads the linked Series when tickets.requiresSeriesTicket is set and
   rejects drop-in registration unless series.allowIndividualEventTickets
   is true or the user has a valid pass. Data-integrity 500 if the
   referenced series is missing.

2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent
   into server/utils/loadEvent.js. All five public event endpoints
   ([id].get, register, tickets/available, tickets/reserve,
   tickets/purchase) now go through the helper, which 404s when
   isVisible === false and the requester is not an admin. Admin detection
   uses a new non-throwing getOptionalMember() in server/utils/auth.js
   (extracted from the pattern already inlined in api/auth/status.get.js).

3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix
   E8): register.post.js and tickets/reserve.post.js delegate gating to
   validateTicketPurchase (which already covers deadline, cancelled,
   started, members-only, sold-out, and already-registered);
   tickets/available.get.js gets an explicit registrationDeadline check.
   Legacy pricing.paymentRequired 402 branch removed from register.post.js.

server/api/events/[id]/tickets/purchase.post.js

@@ -1,14 +1,13 @@
-import Event from "../../../../models/event.js";
 import Member from "../../../../models/member.js";
-import { connectDB } from "../../../../utils/mongoose.js";
+import { loadPublicEvent } from "../../../../utils/loadEvent.js";
+import { validateBody } from "../../../../utils/validateBody.js";
+import { ticketPurchaseSchema } from "../../../../utils/schemas.js";
 import {
   validateTicketPurchase,
-  calculateTicketPrice,
   completeTicketPurchase,
   hasMemberAccess,
 } from "../../../../utils/tickets.js";
 import { sendEventRegistrationEmail } from "../../../../utils/resend.js";
-import mongoose from "mongoose";
 
 /**
  * POST /api/events/[id]/tickets/purchase
@@ -17,32 +16,10 @@ import mongoose from "mongoose";
  */
 export default defineEventHandler(async (event) => {
   try {
-    await connectDB();
     const identifier = getRouterParam(event, "id");
     const body = await validateBody(event, ticketPurchaseSchema);
 
-    if (!identifier) {
-      throw createError({
-        statusCode: 400,
-        statusMessage: "Event identifier is required",
-      });
-    }
-
-    // Fetch the event
-    let eventData;
-    if (mongoose.Types.ObjectId.isValid(identifier)) {
-      eventData = await Event.findById(identifier);
-    }
-    if (!eventData) {
-      eventData = await Event.findOne({ slug: identifier });
-    }
-
-    if (!eventData) {
-      throw createError({
-        statusCode: 404,
-        statusMessage: "Event not found",
-      });
-    }
+    const eventData = await loadPublicEvent(event, identifier);
 
     // Check if user is a member. Only members with access (active or
     // pending_payment) count for pricing/validation; guest, suspended,