feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/Concerns/AuthorizesPermissions.php

@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Concerns;
+
+use App\Enums\WorkspaceUserRole;
+
+trait AuthorizesPermissions
+{
+    /**
+     * Authorize the current user has the given permission.
+     *
+     * Owner: always passes.
+     * Worker: always fails (abort 404).
+     * Manager: checks the permissions JSON column on workspace_user pivot.
+     * Unknown permission keys default to false.
+     */
+    protected function authorizePermission(string $permission): void
+    {
+        $workspaceUser = auth()->user()->currentWorkspaceUser();
+
+        if ($workspaceUser->role->is(WorkspaceUserRole::Owner)) {
+            return;
+        }
+
+        if ($workspaceUser->role->is(WorkspaceUserRole::Worker)) {
+            abort(404);
+        }
+
+        // Manager: check JSON permissions column
+        if (! ($workspaceUser->permissions[$permission] ?? false)) {
+            abort(404);
+        }
+    }
+}