feat(tier2): multi-host / collaborators — Block C

Events can now have multiple users with distinct roles:
  owner   — manage collaborators, delete event, full access
  editor  — manage guests, tokens, CSV import, patch event
  viewer  — read-only access to everything

Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
  no future event can exist without one

Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
  insufficient role 403. Replaces requireEventOwner across every
  shared-role handler (events.get/update, guests CRUD, tokens issue/
  rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching

Collaborator endpoints
- GET    /events/{id}/collaborators           (viewer+)
- POST   /events/{id}/collaborators           (owner)  — sends invite email
- PATCH  /events/{id}/collaborators/{user_id} (owner)  — role change
- DELETE /events/{id}/collaborators/{user_id} (owner)  — refuses last owner
- DELETE /events/{id}/collaborators/pending   (owner)  — cancel invite
- GET    /invites/{token}                     (public) — preview summary
- POST   /invites/{token}/accept              (authed) — atomic accept

Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
  senders + log stub; collaborator_invite.html/txt branded template

Frontend
- TeamCard.vue on the event detail page: lists collaborators with
  inline role-change + remove, pending-invites with cancel, invite
  modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
  or sign-in with pre-filled email, refuses mismatched accounts

Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
  delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/api/events.go

@@ -16,6 +16,7 @@ import (
 
 type eventHandler struct {
 	repo     *storage.EventRepo
+	collabs  *storage.CollaboratorRepo
 	enforcer *tierEnforcer
 }
 
@@ -90,6 +91,13 @@ func (h *eventHandler) create(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, http.StatusCreated, ev)
 }
 
+// eventView wraps an Event with the caller's role so the dashboard UI can
+// branch (e.g. hide the "Delete event" button for editors/viewers).
+type eventView struct {
+	*domain.Event
+	YourRole domain.Role `json:"your_role"`
+}
+
 func (h *eventHandler) get(w http.ResponseWriter, r *http.Request) {
 	hostID, ok := hostFromContext(w, r)
 	if !ok {
@@ -99,11 +107,11 @@ func (h *eventHandler) get(w http.ResponseWriter, r *http.Request) {
 	if !ok {
 		return
 	}
-	ev, ok := requireEventOwner(w, r, h.repo, id, hostID)
+	ev, role, ok := requireRole(w, r, h.repo, h.collabs, id, hostID, domain.RoleViewer)
 	if !ok {
 		return
 	}
-	writeJSON(w, http.StatusOK, ev)
+	writeJSON(w, http.StatusOK, eventView{Event: ev, YourRole: role})
 }
 
 func (h *eventHandler) list(w http.ResponseWriter, r *http.Request) {
@@ -116,7 +124,15 @@ func (h *eventHandler) list(w http.ResponseWriter, r *http.Request) {
 	limit := atoiOr(q.Get("limit"), 50)
 	offset := atoiOr(q.Get("offset"), 0)
 
-	events, err := h.repo.List(r.Context(), hostID, limit, offset)
+	// Block C: the dashboard shows every event the user has any role on,
+	// not just events they own. The collaborators repo gives us the id set;
+	// the events repo paginates the merged list.
+	collabIDs, err := h.collabs.ListEventIDsForUser(r.Context(), hostID)
+	if err != nil {
+		writeError(w, http.StatusInternalServerError, "failed to resolve memberships")
+		return
+	}
+	events, err := h.repo.ListForUser(r.Context(), hostID, collabIDs, limit, offset)
 	if err != nil {
 		writeError(w, http.StatusInternalServerError, "failed to list events")
 		return
@@ -150,6 +166,11 @@ func (h *eventHandler) update(w http.ResponseWriter, r *http.Request) {
 	if !ok {
 		return
 	}
+	// Block C: editor+ can patch event metadata. The plan reserves DELETE
+	// (and the existing host_id row) for owners only.
+	if _, _, ok := requireRole(w, r, h.repo, h.collabs, id, hostID, domain.RoleEditor); !ok {
+		return
+	}
 
 	var req updateEventRequest
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@@ -180,7 +201,7 @@ func (h *eventHandler) update(w http.ResponseWriter, r *http.Request) {
 		params.Status = &s
 	}
 
-	ev, err := h.repo.Update(r.Context(), id, hostID, params)
+	ev, err := h.repo.UpdateByID(r.Context(), id, params)
 	if err != nil {
 		switch {
 		case errors.Is(err, domain.ErrEventNotFound):
@@ -204,7 +225,12 @@ func (h *eventHandler) delete(w http.ResponseWriter, r *http.Request) {
 	if !ok {
 		return
 	}
-	if err := h.repo.Delete(r.Context(), id, hostID); err != nil {
+	// Block C: only owners can delete an event. Editors get 403; viewers
+	// and non-members get 404.
+	if _, _, ok := requireRole(w, r, h.repo, h.collabs, id, hostID, domain.RoleOwner); !ok {
+		return
+	}
+	if err := h.repo.DeleteByID(r.Context(), id); err != nil {
 		if errors.Is(err, domain.ErrEventNotFound) {
 			writeError(w, http.StatusNotFound, "event not found")
 			return