feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/Models/User.php

@@ -66,10 +66,30 @@ class User extends Authenticatable
     {
         return $this->belongsToMany(Workspace::class, 'workspace_user')
             ->using(\App\Models\WorkspaceUser::class)
-            ->withPivot('role')
+            ->withPivot('role', 'permissions')
             ->withTimestamps();
     }
 
+    /**
+     * Memoized workspace-user pivot instances, keyed by workspace ID.
+     *
+     * @var array<int, WorkspaceUser>
+     */
+    protected array $resolvedWorkspaceUsers = [];
+
+    /**
+     * Get the workspace-user pivot for the current session workspace.
+     * Result is memoized per workspace ID to avoid duplicate queries within a request.
+     */
+    public function currentWorkspaceUser(): WorkspaceUser
+    {
+        $workspaceId = (int) session('current_workspace_id');
+
+        return $this->resolvedWorkspaceUsers[$workspaceId] ??= WorkspaceUser::where('user_id', $this->id)
+            ->where('workspace_id', $workspaceId)
+            ->firstOrFail();
+    }
+
     public function getActivitylogOptions(): LogOptions
     {
         return LogOptions::defaults()