fix(events): enforce series-pass, hidden, and deadline gates

Pre-launch P0 fixes surfaced by docs/specs/events-functional-test-matrix.md
(Findings 1, 2, 3).

1. Series-pass bypass (Finding 1 / matrix S1 P3): register.post.js now
   loads the linked Series when tickets.requiresSeriesTicket is set and
   rejects drop-in registration unless series.allowIndividualEventTickets
   is true or the user has a valid pass. Data-integrity 500 if the
   referenced series is missing.

2. Hidden-event leak (Finding 2 / matrix E11): extract loadPublicEvent
   into server/utils/loadEvent.js. All five public event endpoints
   ([id].get, register, tickets/available, tickets/reserve,
   tickets/purchase) now go through the helper, which 404s when
   isVisible === false and the requester is not an admin. Admin detection
   uses a new non-throwing getOptionalMember() in server/utils/auth.js
   (extracted from the pattern already inlined in api/auth/status.get.js).

3. Deadline enforcement + legacy pricing retirement (Finding 3 / matrix
   E8): register.post.js and tickets/reserve.post.js delegate gating to
   validateTicketPurchase (which already covers deadline, cancelled,
   started, members-only, sold-out, and already-registered);
   tickets/available.get.js gets an explicit registrationDeadline check.
   Legacy pricing.paymentRequired 402 branch removed from register.post.js.

server/utils/auth.js

@@ -75,6 +75,32 @@ export async function requireAuth(event) {
   return member
 }
 
+/**
+ * Return the signed-in Member without throwing.
+ * Returns null when no cookie, invalid token, or member not found/inactive.
+ * Mirrors the non-throwing JWT check in api/auth/status.get.js.
+ */
+export async function getOptionalMember(event) {
+  await connectDB()
+
+  const token = getCookie(event, 'auth-token')
+  if (!token) return null
+
+  let decoded
+  try {
+    decoded = jwt.verify(token, useRuntimeConfig(event).jwtSecret)
+  } catch {
+    return null
+  }
+
+  const member = await Member.findById(decoded.memberId)
+  if (!member) return null
+  if (member.status === 'suspended' || member.status === 'cancelled') return null
+  if (decoded.tv !== member.tokenVersion) return null
+
+  return member
+}
+
 /**
  * Verify JWT and require admin role.
  * Throws 401 if not authenticated, 403 if not admin.

server/utils/loadEvent.js

@@ -0,0 +1,55 @@
+import mongoose from 'mongoose'
+import Event from '../models/event.js'
+import { connectDB } from './mongoose.js'
+import { getOptionalMember } from './auth.js'
+
+/**
+ * Load an event by ObjectId or slug for public (non-admin) endpoints.
+ * Enforces the isVisible gate: hidden events 404 for everyone except admins.
+ *
+ * @param {Object} reqEvent - h3 event (for auth/cookie access)
+ * @param {String} identifier - ObjectId string or slug
+ * @param {Object} [options]
+ * @param {Boolean} [options.lean] - apply .lean() to the query
+ * @param {String} [options.select] - apply .select() to the query
+ * @returns {Promise<Object>} the event document
+ */
+export async function loadPublicEvent(reqEvent, identifier, options = {}) {
+  if (!identifier) {
+    throw createError({
+      statusCode: 400,
+      statusMessage: 'Event identifier is required'
+    })
+  }
+
+  await connectDB()
+
+  const { lean = false, select = null } = options
+
+  const applyOptions = (query) => {
+    if (select) query = query.select(select)
+    if (lean) query = query.lean()
+    return query
+  }
+
+  let eventDoc
+  if (mongoose.Types.ObjectId.isValid(identifier)) {
+    eventDoc = await applyOptions(Event.findById(identifier))
+  }
+  if (!eventDoc) {
+    eventDoc = await applyOptions(Event.findOne({ slug: identifier }))
+  }
+
+  if (!eventDoc) {
+    throw createError({ statusCode: 404, statusMessage: 'Event not found' })
+  }
+
+  if (eventDoc.isVisible === false) {
+    const requester = await getOptionalMember(reqEvent)
+    if (requester?.role !== 'admin') {
+      throw createError({ statusCode: 404, statusMessage: 'Event not found' })
+    }
+  }
+
+  return eventDoc
+}