Add multi-vendor capability with admin vendor management

- Add resolveVendorId() helper — admin can pass ?vendorId= to scope
  catalog operations to any vendor; other roles locked to JWT vendorId
- Thread ?vendorId= through products, categories, taxes, events routes
- Add DELETE /vendors/:id (admin only) with cascade-safe guard:
  blocks if vendor has users or transactions; otherwise cascade-deletes
  EventProduct → EventTax → Event → Product → Tax → Category → Vendor
- Rewrite VendorPage: admin gets full CRUD list, vendor gets own settings
- Add VendorFilter shared component (admin-only dropdown)
- Integrate VendorFilter into Catalog, Users, and Events pages so admin
  can switch vendor context for all create/read operations

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

server/src/routes/events.ts

@@ -5,6 +5,7 @@ import { requireAuth, requireRole } from "../middleware/auth.js";
 import { AppError } from "../middleware/errorHandler.js";
 import { parsePage, paginatedResponse } from "../lib/pagination.js";
 import { AuthenticatedRequest } from "../types/index.js";
+import { resolveVendorId } from "../lib/vendorScope.js";
 
 const router = Router();
 const auth = requireAuth as unknown as (r: Request, s: Response, n: NextFunction) => void;
@@ -71,11 +72,7 @@ router.post("/", auth, vendorUp, async (req: Request, res: Response, next: NextF
       throw new AppError(400, "BAD_REQUEST", "endsAt must be after startsAt");
     }
 
-    // Admin can specify vendorId; vendor always uses their own
-    const targetVendorId =
-      authReq.auth.roleName === "admin" && (req.body as { vendorId?: string }).vendorId
-        ? (req.body as { vendorId: string }).vendorId
-        : authReq.auth.vendorId;
+    const targetVendorId = resolveVendorId(authReq, req.query as Record<string, unknown>);
 
     const event = await prisma.event.create({
       data: {