feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/Models/Declaration.php

@@ -5,6 +5,7 @@ namespace App\Models;
 use App\Enums\DeclarationPriority;
 use App\Enums\DeclarationStatus;
 use App\Enums\DeclarationType;
+use App\Enums\WorkspaceUserRole;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
@@ -144,6 +145,19 @@ class Declaration extends Model implements HasMedia
         return $this->hasMany(DeclarationInvitation::class);
     }
 
+    /**
+     * Scope declarations based on user role.
+     * Workers see only declarations assigned to them; Owners/Managers see all.
+     */
+    public function scopeForUser(Builder $query, User $user, WorkspaceUser $workspaceUser): Builder
+    {
+        if ($workspaceUser->role->is(WorkspaceUserRole::Worker)) {
+            return $query->where('assigned_to', $user->id);
+        }
+
+        return $query;
+    }
+
     /**
      * Scope a query to only include active (non-archived) declarations.
      */