feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/Models/Workspace.php

@@ -75,10 +75,20 @@ class Workspace extends Model
     {
         return $this->belongsToMany(User::class, 'workspace_user')
             ->using(WorkspaceUser::class)
-            ->withPivot('role')
+            ->withPivot('role', 'permissions')
             ->withTimestamps();
     }
 
+    /**
+     * Get the team invitations for the workspace.
+     *
+     * @return HasMany<TeamInvitation>
+     */
+    public function teamInvitations(): HasMany
+    {
+        return $this->hasMany(TeamInvitation::class);
+    }
+
     public function getActivitylogOptions(): LogOptions
     {
         return LogOptions::defaults()