2.0.6 — security + hardening

Security + hardening release (Floxum re-audit fixes).

• Security (HIGH): event URLs are now scheme-allowlisted (http/https) — javascript:/data: URLs can no longer be stored and rendered as an <a href> (stored-XSS fix), with a matching guard in the event detail modal.
• Security: RSVP is restricted to published events (or the author's own draft) — a guessed draft ID can't have its RSVP counts polluted.
• Performance: indexed users.cal_birthday (was a full table scan on the celebrations widget); the iCal feed eager-loads category + user to avoid N+1 during serialisation.
• Conventions: resolve() moved out of the schema getter into the fields builder.
• Refactor: CalendarPage split into focused MonthGrid / TimeGrid / EventListView components (no functional change; verified across month/week/list views).