feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/Feature/Database/MemberToWorkerMigrationTest.php

@@ -0,0 +1,64 @@
+<?php
+
+use App\Models\User;
+use App\Models\Workspace;
+use Illuminate\Support\Facades\DB;
+
+function getMigrationInstance(): object
+{
+    return require database_path('migrations/2026_03_14_000001_rename_member_to_worker_in_workspace_user.php');
+}
+
+test('data migration renames member to worker in workspace_user role', function () {
+    $user = User::factory()->create();
+    $workspace = Workspace::factory()->create();
+
+    // Insert a record with the old 'member' value directly via DB
+    DB::table('workspace_user')->insert([
+        'workspace_id' => $workspace->id,
+        'user_id' => $user->id,
+        'role' => 'member',
+        'created_at' => now(),
+        'updated_at' => now(),
+    ]);
+
+    // Verify it has 'member' role
+    expect(
+        DB::table('workspace_user')
+            ->where('user_id', $user->id)
+            ->where('workspace_id', $workspace->id)
+            ->value('role')
+    )->toBe('member');
+
+    // Run the actual migration file
+    getMigrationInstance()->up();
+
+    // Verify it now has 'worker' role
+    expect(
+        DB::table('workspace_user')
+            ->where('user_id', $user->id)
+            ->where('workspace_id', $workspace->id)
+            ->value('role')
+    )->toBe('worker');
+});
+
+test('data migration does not affect owner or manager roles', function () {
+    $owner = User::factory()->create();
+    $manager = User::factory()->create();
+    $worker = User::factory()->create();
+    $workspace = Workspace::factory()->create();
+
+    DB::table('workspace_user')->insert([
+        ['workspace_id' => $workspace->id, 'user_id' => $owner->id, 'role' => 'owner', 'created_at' => now(), 'updated_at' => now()],
+        ['workspace_id' => $workspace->id, 'user_id' => $manager->id, 'role' => 'manager', 'created_at' => now(), 'updated_at' => now()],
+        ['workspace_id' => $workspace->id, 'user_id' => $worker->id, 'role' => 'member', 'created_at' => now(), 'updated_at' => now()],
+    ]);
+
+    // Run the actual migration file
+    getMigrationInstance()->up();
+
+    // Owner and manager should remain unchanged
+    expect(DB::table('workspace_user')->where('user_id', $owner->id)->value('role'))->toBe('owner');
+    expect(DB::table('workspace_user')->where('user_id', $manager->id)->value('role'))->toBe('manager');
+    expect(DB::table('workspace_user')->where('user_id', $worker->id)->value('role'))->toBe('worker');
+});