feat: complete Epic 1 — team management & permission system

- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/Unit/PermissionCheckTest.php

@@ -0,0 +1,92 @@
+<?php
+
+use App\Concerns\AuthorizesPermissions;
+use App\Enums\Permission;
+use App\Enums\WorkspaceUserRole;
+use App\Models\User;
+use App\Models\Workspace;
+
+uses(Tests\TestCase::class, Illuminate\Foundation\Testing\RefreshDatabase::class);
+
+// Create a testable class that uses the trait
+function createPermissionChecker(): object
+{
+    return new class
+    {
+        use AuthorizesPermissions;
+
+        public function check(string $permission): void
+        {
+            $this->authorizePermission($permission);
+        }
+    };
+}
+
+function setupWorkspaceUser(string $role, array $permissions = []): array
+{
+    $user = User::factory()->create();
+    $workspace = Workspace::factory()->create();
+    $workspace->users()->attach($user->id, [
+        'role' => $role,
+        'permissions' => $permissions,
+    ]);
+    session(['current_workspace_id' => $workspace->id]);
+
+    return [$user, $workspace];
+}
+
+test('owner always passes permission check', function () {
+    [$user] = setupWorkspaceUser(WorkspaceUserRole::Owner);
+    $this->actingAs($user);
+
+    $checker = createPermissionChecker();
+    $checker->check(Permission::CanManageTeam);
+
+    expect(true)->toBeTrue(); // No exception thrown
+});
+
+test('worker always fails permission check with 404', function () {
+    [$user] = setupWorkspaceUser(WorkspaceUserRole::Worker);
+    $this->actingAs($user);
+
+    $checker = createPermissionChecker();
+    $checker->check(Permission::CanManageTeam);
+})->throws(Symfony\Component\HttpKernel\Exception\NotFoundHttpException::class);
+
+test('manager with granted permission passes', function () {
+    [$user] = setupWorkspaceUser(WorkspaceUserRole::Manager, [
+        Permission::CanViewActivityLogs => true,
+    ]);
+    $this->actingAs($user);
+
+    $checker = createPermissionChecker();
+    $checker->check(Permission::CanViewActivityLogs);
+
+    expect(true)->toBeTrue(); // No exception thrown
+});
+
+test('manager with denied permission fails with 404', function () {
+    [$user] = setupWorkspaceUser(WorkspaceUserRole::Manager, [
+        Permission::CanManageTeam => false,
+    ]);
+    $this->actingAs($user);
+
+    $checker = createPermissionChecker();
+    $checker->check(Permission::CanManageTeam);
+})->throws(Symfony\Component\HttpKernel\Exception\NotFoundHttpException::class);
+
+test('manager with unknown permission key defaults to false and fails with 404', function () {
+    [$user] = setupWorkspaceUser(WorkspaceUserRole::Manager, []);
+    $this->actingAs($user);
+
+    $checker = createPermissionChecker();
+    $checker->check('some_unknown_permission');
+})->throws(Symfony\Component\HttpKernel\Exception\NotFoundHttpException::class);
+
+test('manager with empty permissions fails with 404', function () {
+    [$user] = setupWorkspaceUser(WorkspaceUserRole::Manager, []);
+    $this->actingAs($user);
+
+    $checker = createPermissionChecker();
+    $checker->check(Permission::CanConfigurePortal);
+})->throws(Symfony\Component\HttpKernel\Exception\NotFoundHttpException::class);