feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

routes/web.php

@@ -25,6 +25,12 @@ Route::middleware(['auth', 'verified'])->group(function () {
         Route::post('declarations/{declaration}/mentions', [\App\Http\Controllers\DeclarationMentionController::class, 'store'])
             ->middleware('throttle:10,1')
             ->name('declarations.mentions.store');
+
+        Route::get('team', [\App\Http\Controllers\TeamController::class, 'index'])->name('team.index');
+        Route::post('team/invite', [\App\Http\Controllers\TeamController::class, 'invite'])->name('team.invite');
+        Route::patch('team/{workspaceUserId}/role', [\App\Http\Controllers\TeamController::class, 'updateRole'])->name('team.updateRole');
+        Route::put('team/{workspaceUserId}/permissions', [\App\Http\Controllers\TeamController::class, 'updatePermissions'])->name('team.updatePermissions');
+        Route::delete('team/{workspaceUserId}', [\App\Http\Controllers\TeamController::class, 'remove'])->name('team.remove');
     });
 
     Route::post('notifications/{id}/read', [\App\Http\Controllers\NotificationController::class, 'markAsRead'])->name('notifications.read');