feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

config/permissions.php

@@ -0,0 +1,31 @@
+<?php
+
+use App\Enums\Permission;
+use App\Enums\WorkspaceUserRole;
+
+return [
+
+    /*
+    |--------------------------------------------------------------------------
+    | Default Permissions Per Role
+    |--------------------------------------------------------------------------
+    |
+    | Defines the default permission values for each workspace role.
+    | Owner has all permissions ('*'), Worker has none ([]),
+    | and Manager has individually configurable permissions.
+    |
+    */
+
+    'defaults' => [
+        WorkspaceUserRole::Owner => ['*'],
+
+        WorkspaceUserRole::Manager => [
+            Permission::CanManageTeam => false,
+            Permission::CanViewActivityLogs => true,
+            Permission::CanConfigurePortal => false,
+        ],
+
+        WorkspaceUserRole::Worker => [],
+    ],
+
+];