feat(tier2): multi-host / collaborators — Block C

Events can now have multiple users with distinct roles:
  owner   — manage collaborators, delete event, full access
  editor  — manage guests, tokens, CSV import, patch event
  viewer  — read-only access to everything

Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
  no future event can exist without one

Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
  insufficient role 403. Replaces requireEventOwner across every
  shared-role handler (events.get/update, guests CRUD, tokens issue/
  rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching

Collaborator endpoints
- GET    /events/{id}/collaborators           (viewer+)
- POST   /events/{id}/collaborators           (owner)  — sends invite email
- PATCH  /events/{id}/collaborators/{user_id} (owner)  — role change
- DELETE /events/{id}/collaborators/{user_id} (owner)  — refuses last owner
- DELETE /events/{id}/collaborators/pending   (owner)  — cancel invite
- GET    /invites/{token}                     (public) — preview summary
- POST   /invites/{token}/accept              (authed) — atomic accept

Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
  senders + log stub; collaborator_invite.html/txt branded template

Frontend
- TeamCard.vue on the event detail page: lists collaborators with
  inline role-change + remove, pending-invites with cancel, invite
  modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
  or sign-in with pre-filled email, refuses mismatched accounts

Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
  delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/domain/collaborator.go

@@ -0,0 +1,93 @@
+package domain
+
+import (
+	"errors"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// Role is the trio of collaborator permissions on an event. Comparisons are
+// done with the numeric `rank()` rather than string equality so handlers can
+// say `requireRole(RoleEditor)` and accept both editor and owner.
+type Role string
+
+const (
+	RoleOwner  Role = "owner"
+	RoleEditor Role = "editor"
+	RoleViewer Role = "viewer"
+)
+
+// Valid reports whether r is one of the three known roles.
+func (r Role) Valid() bool {
+	switch r {
+	case RoleOwner, RoleEditor, RoleViewer:
+		return true
+	}
+	return false
+}
+
+// rank returns a comparable integer: higher = more privilege.
+// Owner=30 / Editor=20 / Viewer=10 leaves room for future intermediate
+// roles (e.g. "guest-manager" at 15) without renumbering callers.
+func (r Role) rank() int {
+	switch r {
+	case RoleOwner:
+		return 30
+	case RoleEditor:
+		return 20
+	case RoleViewer:
+		return 10
+	}
+	return 0
+}
+
+// AtLeast reports whether r is at least as privileged as min.
+// requireRole helpers compare with `r.AtLeast(RoleEditor)`.
+func (r Role) AtLeast(min Role) bool {
+	return r.rank() >= min.rank()
+}
+
+// Collaborator is one user's membership on an event. AcceptedAt is nil while
+// the invite is still pending — those rows are surfaced separately, not via
+// this struct (see CollaboratorInvite).
+type Collaborator struct {
+	EventID    uuid.UUID  `json:"event_id"`
+	UserID     uuid.UUID  `json:"user_id"`
+	Role       Role       `json:"role"`
+	InvitedBy  *uuid.UUID `json:"invited_by,omitempty"`
+	InvitedAt  time.Time  `json:"invited_at"`
+	AcceptedAt *time.Time `json:"accepted_at,omitempty"`
+
+	// Display fields joined from users — populated by List, omitted by point
+	// lookups that don't need them.
+	Name  string `json:"name,omitempty"`
+	Email string `json:"email,omitempty"`
+}
+
+// CollaboratorInvite is a pending invitation that hasn't been accepted yet.
+// The raw token lives only in the email link; what we store is its SHA-256
+// hash, so a database leak doesn't hand attackers usable invites.
+type CollaboratorInvite struct {
+	EventID   uuid.UUID `json:"event_id"`
+	Email     string    `json:"email"`
+	Role      Role      `json:"role"`
+	InvitedBy uuid.UUID `json:"invited_by"`
+	ExpiresAt time.Time `json:"expires_at"`
+	CreatedAt time.Time `json:"created_at"`
+}
+
+// DefaultInviteTTL is how long a fresh collaborator invitation stays valid.
+// Seven days mirrors the password-reset flow's expiry. Resend mints a new
+// token rather than extending an old one.
+const DefaultInviteTTL = 7 * 24 * time.Hour
+
+var (
+	ErrCollaboratorNotFound    = errors.New("collaborator not found")
+	ErrCollaboratorExists      = errors.New("user is already a collaborator")
+	ErrLastOwner               = errors.New("cannot remove the last owner")
+	ErrInviteNotFound          = errors.New("invitation not found")
+	ErrInviteExpired           = errors.New("invitation expired")
+	ErrInviteAlreadyConsumed   = errors.New("invitation already used")
+	ErrInviteEmailMismatch     = errors.New("invitation was sent to a different email")
+)

internal/domain/collaborator_test.go

@@ -0,0 +1,43 @@
+package domain
+
+import "testing"
+
+func TestRoleAtLeast(t *testing.T) {
+	tests := []struct {
+		have Role
+		min  Role
+		want bool
+	}{
+		{RoleOwner, RoleOwner, true},
+		{RoleOwner, RoleEditor, true},
+		{RoleOwner, RoleViewer, true},
+		{RoleEditor, RoleOwner, false},
+		{RoleEditor, RoleEditor, true},
+		{RoleEditor, RoleViewer, true},
+		{RoleViewer, RoleOwner, false},
+		{RoleViewer, RoleEditor, false},
+		{RoleViewer, RoleViewer, true},
+
+		// Empty / unknown role should not satisfy any minimum.
+		{Role(""), RoleViewer, false},
+		{Role("admin"), RoleViewer, false},
+	}
+	for _, tt := range tests {
+		if got := tt.have.AtLeast(tt.min); got != tt.want {
+			t.Errorf("Role(%q).AtLeast(%q) = %v, want %v", tt.have, tt.min, got, tt.want)
+		}
+	}
+}
+
+func TestRoleValid(t *testing.T) {
+	for _, r := range []Role{RoleOwner, RoleEditor, RoleViewer} {
+		if !r.Valid() {
+			t.Errorf("expected %q to be valid", r)
+		}
+	}
+	for _, r := range []Role{Role(""), Role("admin"), Role("OWNER")} {
+		if r.Valid() {
+			t.Errorf("expected %q to be invalid", r)
+		}
+	}
+}