feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/Http/Requests/InviteTeamMemberRequest.php

@@ -0,0 +1,83 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Enums\Permission;
+use App\Enums\WorkspaceUserRole;
+use App\Models\TeamInvitation;
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Validator;
+
+class InviteTeamMemberRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        $workspaceUser = $this->user()->currentWorkspaceUser();
+
+        if ($workspaceUser->role->is(WorkspaceUserRole::Owner)) {
+            return true;
+        }
+
+        if ($workspaceUser->role->is(WorkspaceUserRole::Manager)) {
+            return (bool) ($workspaceUser->permissions[Permission::CanManageTeam] ?? false);
+        }
+
+        return false;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'email' => ['required', 'email', 'max:255'],
+            'role' => ['required', 'in:manager,worker'],
+        ];
+    }
+
+    /**
+     * Configure the validator instance.
+     */
+    public function withValidator(Validator $validator): void
+    {
+        $validator->after(function (Validator $validator) {
+            $workspaceId = session('current_workspace_id');
+            $email = $this->input('email');
+
+            // Check if email is already a member of the workspace
+            $alreadyMember = \App\Models\Workspace::find($workspaceId)
+                ?->users()
+                ->where('email', $email)
+                ->exists();
+
+            if ($alreadyMember) {
+                $validator->errors()->add('email', 'Cet utilisateur fait déjà partie de l\'équipe.');
+            }
+
+            // Check for existing active invitation
+            $existingInvitation = TeamInvitation::where('workspace_id', $workspaceId)
+                ->where('email', $email)
+                ->whereNull('accepted_at')
+                ->where('expires_at', '>', now())
+                ->exists();
+
+            if ($existingInvitation) {
+                $validator->errors()->add('email', 'Une invitation est déjà en cours pour cette adresse email.');
+            }
+        });
+    }
+
+    /**
+     * Handle a failed authorization attempt.
+     */
+    protected function failedAuthorization(): void
+    {
+        abort(404);
+    }
+}

app/Http/Requests/SwitchWorkspaceRequest.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace App\Http\Requests;
+
+use Illuminate\Contracts\Validation\ValidationRule;
+use Illuminate\Foundation\Http\FormRequest;
+
+class SwitchWorkspaceRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return $this->user() !== null;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'workspace_id' => ['required', 'integer', 'exists:workspaces,id'],
+        ];
+    }
+}

app/Http/Requests/UpdatePermissionsRequest.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Enums\Permission;
+use App\Enums\WorkspaceUserRole;
+use Illuminate\Foundation\Http\FormRequest;
+
+class UpdatePermissionsRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     * Only Owners can update permissions — Managers with can_manage_team CANNOT.
+     */
+    public function authorize(): bool
+    {
+        $workspaceUser = $this->user()->currentWorkspaceUser();
+
+        return $workspaceUser->role->is(WorkspaceUserRole::Owner);
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'permissions' => ['required', 'array'],
+            'permissions.*' => ['boolean'],
+        ];
+    }
+
+    /**
+     * Configure the validator instance.
+     */
+    public function withValidator(\Illuminate\Validation\Validator $validator): void
+    {
+        $validator->after(function (\Illuminate\Validation\Validator $validator) {
+            $permissions = $this->input('permissions', []);
+            $validKeys = Permission::getValues();
+
+            foreach (array_keys($permissions) as $key) {
+                if (! in_array($key, $validKeys, true)) {
+                    $validator->errors()->add(
+                        'permissions',
+                        "Invalid permission key: {$key}"
+                    );
+                }
+            }
+
+            // Ensure ALL permission keys are present to prevent silent permission loss
+            $missingKeys = array_diff($validKeys, array_keys($permissions));
+            if (! empty($missingKeys)) {
+                $validator->errors()->add(
+                    'permissions',
+                    'Missing permission keys: '.implode(', ', $missingKeys)
+                );
+            }
+        });
+    }
+
+    /**
+     * Handle a failed authorization attempt.
+     */
+    protected function failedAuthorization(): void
+    {
+        abort(404);
+    }
+}

app/Http/Requests/UpdateTeamMemberRoleRequest.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Enums\Permission;
+use App\Enums\WorkspaceUserRole;
+use Illuminate\Foundation\Http\FormRequest;
+
+class UpdateTeamMemberRoleRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        $workspaceUser = $this->user()->currentWorkspaceUser();
+
+        if ($workspaceUser->role->is(WorkspaceUserRole::Owner)) {
+            return true;
+        }
+
+        if ($workspaceUser->role->is(WorkspaceUserRole::Manager)) {
+            return (bool) ($workspaceUser->permissions[Permission::CanManageTeam] ?? false);
+        }
+
+        return false;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'role' => ['required', 'in:manager,worker'],
+        ];
+    }
+
+    /**
+     * Handle a failed authorization attempt.
+     */
+    protected function failedAuthorization(): void
+    {
+        abort(404);
+    }
+}