Add multi-tenancy with Teams feature

Implement team-based organization for projects with role-based access control:

Backend:
- Add teams and team_memberships database tables (migrations 009, 009b)
- Add Team and TeamMembership ORM models with relationships
- Implement TeamAuthorizationService for team-level access control
- Add team CRUD, membership, and projects API endpoints
- Update project creation to support team assignment

Frontend:
- Add TeamContext for managing team state with localStorage persistence
- Add TeamSelector component for switching between teams
- Add TeamsPage, TeamDashboardPage, TeamSettingsPage, TeamMembersPage
- Add team API client functions
- Update navigation with Teams link

Security:
- Team role hierarchy: owner > admin > member
- Membership checked before system admin fallback
- Self-modification prevention for role changes
- Email visibility restricted to team admins/owners
- Slug validation rejects consecutive hyphens

Tests:
- Unit tests for TeamAuthorizationService
- Integration tests for all team API endpoints

CHANGELOG.md

@@ -7,6 +7,44 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 ### Added
+- Added team-based multi-tenancy for organizing projects and collaboration (#88-#104)
+  - Teams serve as organizational containers for projects
+  - Users can belong to multiple teams with different roles (owner, admin, member)
+  - Projects can optionally belong to a team
+- Added database schema for teams (#88):
+  - `teams` table with id, name, slug, description, settings, timestamps
+  - `team_memberships` table mapping users to teams with roles
+  - `team_id` column on projects table for team association
+  - Migrations `009_teams.sql` and `009b_migrate_projects.sql`
+- Added Team and TeamMembership ORM models with relationships (#89)
+- Added TeamAuthorizationService for team-level access control (#90):
+  - Team owner/admin gets admin access to all team projects
+  - Team member gets read access to team projects (upgradeable by explicit permission)
+  - Role hierarchy: owner > admin > member
+- Added Team API endpoints (#92, #93, #94, #95):
+  - `GET /api/v1/teams` - List teams user belongs to (paginated)
+  - `POST /api/v1/teams` - Create team (creator becomes owner)
+  - `GET /api/v1/teams/{slug}` - Get team details
+  - `PUT /api/v1/teams/{slug}` - Update team (requires admin)
+  - `DELETE /api/v1/teams/{slug}` - Delete team (requires owner)
+  - `GET /api/v1/teams/{slug}/members` - List team members
+  - `POST /api/v1/teams/{slug}/members` - Add member (requires admin)
+  - `PUT /api/v1/teams/{slug}/members/{username}` - Update member role
+  - `DELETE /api/v1/teams/{slug}/members/{username}` - Remove member
+  - `GET /api/v1/teams/{slug}/projects` - List team projects (paginated)
+- Updated project creation to support optional team assignment (#95)
+- Updated project responses to include team info (team_id, team_slug, team_name)
+- Added frontend team management (#97-#104):
+  - TeamContext provider for managing current team selection
+  - TeamSelector dropdown component (persists selection in localStorage)
+  - Teams list page at `/teams`
+  - Team dashboard page at `/teams/{slug}`
+  - Team settings page at `/teams/{slug}/settings`
+  - Team members page at `/teams/{slug}/members`
+  - Teams navigation link in header (authenticated users only)
+- Added TypeScript types and API client functions for teams
+- Added integration tests for team CRUD, membership, and project operations
+- Added unit tests for TeamAuthorizationService
 - Added `ORCHARD_ADMIN_PASSWORD` environment variable to configure initial admin password (#87)
   - When set, admin user is created with the specified password (no password change required)
   - When not set, defaults to `changeme123` and requires password change on first login