feat(tier2): multi-host / collaborators — Block C

Events can now have multiple users with distinct roles:
  owner   — manage collaborators, delete event, full access
  editor  — manage guests, tokens, CSV import, patch event
  viewer  — read-only access to everything

Schema (migration 0008)
- collaborator_role ENUM + event_collaborators + collaborator_invites
- Backfill: every existing events.host_id becomes an owner row
- EventRepo.Create seeds the owner row in the same transaction so
  no future event can exist without one

Authz
- New requireRole(eventID, userID, minRole) helper. Non-members 404;
  insufficient role 403. Replaces requireEventOwner across every
  shared-role handler (events.get/update, guests CRUD, tokens issue/
  rotate/bulk, csv preview/commit/template, activity, ws-ticket)
- events.delete + collaborator management stay owner-only
- GET /events lists every event the user has any role on
- /events/{id} response now embeds your_role for UI branching

Collaborator endpoints
- GET    /events/{id}/collaborators           (viewer+)
- POST   /events/{id}/collaborators           (owner)  — sends invite email
- PATCH  /events/{id}/collaborators/{user_id} (owner)  — role change
- DELETE /events/{id}/collaborators/{user_id} (owner)  — refuses last owner
- DELETE /events/{id}/collaborators/pending   (owner)  — cancel invite
- GET    /invites/{token}                     (public) — preview summary
- POST   /invites/{token}/accept              (authed) — atomic accept

Invitations
- SHA-256 hashed in DB; raw value only lives in the email link
- 7-day TTL, single-use, email-bound (caller's email must match)
- New SendCollaboratorInvite on auth.EmailSender + Resend/SMTP/SES
  senders + log stub; collaborator_invite.html/txt branded template

Frontend
- TeamCard.vue on the event detail page: lists collaborators with
  inline role-change + remove, pending-invites with cancel, invite
  modal (email + role). Owner-only actions hidden for editors/viewers
- /invites/[token] accept page: shows invite summary, prompts signup
  or sign-in with pre-filled email, refuses mismatched accounts

Tests (all 6 pass on the existing testcontainers harness)
- backfill: legacy host gets owner role
- role enforcement: viewer can read, editor can write guests but not
  delete/manage team, non-member 404s everywhere
- last-owner removal refused (400)
- shared events show up in collaborator's /events list
- invite flow: create → preview → accept → role granted → replay 410
- email mismatch on accept returns 403
- expired invite returns 410

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

internal/storage/migrations/0008_collaborators.up.sql

@@ -0,0 +1,65 @@
+-- Tier 2 Block C — multi-host / collaborators.
+--
+-- An event can now have multiple users with one of three roles:
+--   owner   — full access incl. delete + manage collaborators
+--   editor  — guests/tokens/branding/messages/analytics
+--   viewer  — read-only
+--
+-- The existing events.host_id stays as a denormalised "primary owner"
+-- pointer (cheap join key, useful for the existing GET /events query). The
+-- source of truth for authz is event_collaborators — every handler resolves
+-- the caller's role through it.
+--
+-- Schema #0005 in TIER2_PLAN.md; landing at 0008 because earlier slots are
+-- taken by Tier 1 work.
+
+DO $$ BEGIN
+    CREATE TYPE collaborator_role AS ENUM ('owner', 'editor', 'viewer');
+EXCEPTION WHEN duplicate_object THEN NULL; END $$;
+
+CREATE TABLE IF NOT EXISTS event_collaborators (
+    event_id     UUID NOT NULL REFERENCES events(id) ON DELETE CASCADE,
+    user_id      UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    role         collaborator_role NOT NULL,
+    invited_by   UUID REFERENCES users(id) ON DELETE SET NULL,
+    invited_at   TIMESTAMPTZ NOT NULL DEFAULT now(),
+    accepted_at  TIMESTAMPTZ,
+    PRIMARY KEY (event_id, user_id)
+);
+
+-- Fast lookup of "what events does this user have any role on" — used by
+-- the dashboard list and the role-resolution middleware.
+CREATE INDEX IF NOT EXISTS idx_collaborators_user
+    ON event_collaborators(user_id);
+
+-- Pending invitations. The invitee may not have a GuestGuard account yet;
+-- the accept flow creates one (or links to an existing one by email) and
+-- promotes the row into event_collaborators.
+--
+-- token_hash is sha256(raw); the raw token only ever lives in the email
+-- link, never in the DB. consumed_at is set on successful accept so re-
+-- using the link returns 410 Gone instead of silently re-adding the user.
+CREATE TABLE IF NOT EXISTS collaborator_invites (
+    token_hash   TEXT PRIMARY KEY,
+    event_id     UUID NOT NULL REFERENCES events(id) ON DELETE CASCADE,
+    email        TEXT NOT NULL,
+    role         collaborator_role NOT NULL,
+    invited_by   UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    expires_at   TIMESTAMPTZ NOT NULL,
+    consumed_at  TIMESTAMPTZ,
+    created_at   TIMESTAMPTZ NOT NULL DEFAULT now()
+);
+
+-- Find pending invites for an event quickly (the "Team" tab lists them).
+-- Partial index keeps the working set small even on a busy event.
+CREATE INDEX IF NOT EXISTS idx_collab_invites_event
+    ON collaborator_invites(event_id)
+    WHERE consumed_at IS NULL;
+
+-- Backfill: every existing event's host becomes its owner. Idempotent so
+-- re-running this migration after a partial failure (or against a freshly
+-- restored backup that already has rows) does the right thing.
+INSERT INTO event_collaborators (event_id, user_id, role, accepted_at, invited_at)
+SELECT id, host_id, 'owner', created_at, created_at
+FROM events
+ON CONFLICT (event_id, user_id) DO NOTHING;