feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/Models/Declaration.php

@@ -5,6 +5,7 @@ namespace App\Models;
 use App\Enums\DeclarationPriority;
 use App\Enums\DeclarationStatus;
 use App\Enums\DeclarationType;
+use App\Enums\WorkspaceUserRole;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
@@ -144,6 +145,19 @@ class Declaration extends Model implements HasMedia
         return $this->hasMany(DeclarationInvitation::class);
     }
 
+    /**
+     * Scope declarations based on user role.
+     * Workers see only declarations assigned to them; Owners/Managers see all.
+     */
+    public function scopeForUser(Builder $query, User $user, WorkspaceUser $workspaceUser): Builder
+    {
+        if ($workspaceUser->role->is(WorkspaceUserRole::Worker)) {
+            return $query->where('assigned_to', $user->id);
+        }
+
+        return $query;
+    }
+
     /**
      * Scope a query to only include active (non-archived) declarations.
      */

app/Models/TeamInvitation.php

@@ -0,0 +1,98 @@
+<?php
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Support\Str;
+use Spatie\Activitylog\LogOptions;
+use Spatie\Activitylog\Traits\LogsActivity;
+
+class TeamInvitation extends Model
+{
+    use LogsActivity;
+
+    protected $table = 'team_invitations';
+
+    /**
+     * The attributes that are mass assignable.
+     *
+     * @var list<string>
+     */
+    protected $fillable = [
+        'workspace_id',
+        'email',
+        'role',
+        'token',
+        'invited_by',
+        'accepted_at',
+        'expires_at',
+    ];
+
+    /**
+     * Get the attributes that should be cast.
+     *
+     * @return array<string, string>
+     */
+    protected function casts(): array
+    {
+        return [
+            'accepted_at' => 'datetime',
+            'expires_at' => 'datetime',
+        ];
+    }
+
+    /**
+     * Boot the model.
+     */
+    protected static function boot(): void
+    {
+        parent::boot();
+
+        static::creating(function (TeamInvitation $invitation) {
+            if (empty($invitation->token)) {
+                $invitation->token = Str::uuid()->toString();
+            }
+        });
+    }
+
+    /**
+     * Get the workspace that owns the invitation.
+     *
+     * @return BelongsTo<Workspace, $this>
+     */
+    public function workspace(): BelongsTo
+    {
+        return $this->belongsTo(Workspace::class);
+    }
+
+    /**
+     * Get the user who sent the invitation.
+     *
+     * @return BelongsTo<User, $this>
+     */
+    public function invitedBy(): BelongsTo
+    {
+        return $this->belongsTo(User::class, 'invited_by');
+    }
+
+    /**
+     * Check if the invitation is valid (not accepted, not expired).
+     */
+    public function isValid(): bool
+    {
+        if ($this->accepted_at !== null) {
+            return false;
+        }
+
+        return $this->expires_at->isFuture();
+    }
+
+    public function getActivitylogOptions(): LogOptions
+    {
+        return LogOptions::defaults()
+            ->logFillable()
+            ->logOnlyDirty()
+            ->dontSubmitEmptyLogs();
+    }
+}

app/Models/User.php

@@ -66,10 +66,30 @@ class User extends Authenticatable
     {
         return $this->belongsToMany(Workspace::class, 'workspace_user')
             ->using(\App\Models\WorkspaceUser::class)
-            ->withPivot('role')
+            ->withPivot('role', 'permissions')
             ->withTimestamps();
     }
 
+    /**
+     * Memoized workspace-user pivot instances, keyed by workspace ID.
+     *
+     * @var array<int, WorkspaceUser>
+     */
+    protected array $resolvedWorkspaceUsers = [];
+
+    /**
+     * Get the workspace-user pivot for the current session workspace.
+     * Result is memoized per workspace ID to avoid duplicate queries within a request.
+     */
+    public function currentWorkspaceUser(): WorkspaceUser
+    {
+        $workspaceId = (int) session('current_workspace_id');
+
+        return $this->resolvedWorkspaceUsers[$workspaceId] ??= WorkspaceUser::where('user_id', $this->id)
+            ->where('workspace_id', $workspaceId)
+            ->firstOrFail();
+    }
+
     public function getActivitylogOptions(): LogOptions
     {
         return LogOptions::defaults()

app/Models/Workspace.php

@@ -75,10 +75,20 @@ class Workspace extends Model
     {
         return $this->belongsToMany(User::class, 'workspace_user')
             ->using(WorkspaceUser::class)
-            ->withPivot('role')
+            ->withPivot('role', 'permissions')
             ->withTimestamps();
     }
 
+    /**
+     * Get the team invitations for the workspace.
+     *
+     * @return HasMany<TeamInvitation>
+     */
+    public function teamInvitations(): HasMany
+    {
+        return $this->hasMany(TeamInvitation::class);
+    }
+
     public function getActivitylogOptions(): LogOptions
     {
         return LogOptions::defaults()