fix(workspace): permission enforcement, invite auto-create, switch clears stores

- DeleteAgent: require owner/admin role (was member-only check)
- ListAgentTasks: add workspace membership verification (was unauthenticated)
- CreateMember: auto-create user if email not found (enables invite flow)
- Workspace switch: clear issue/inbox/agent stores before hydrating new data

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

server/internal/handler/workspace.go

@@ -338,11 +338,19 @@ func (h *Handler) CreateMember(w http.ResponseWriter, r *http.Request) {
 	user, err := h.Queries.GetUserByEmail(r.Context(), email)
 	if err != nil {
 		if isNotFound(err) {
-			writeError(w, http.StatusNotFound, "user not found")
+			// Auto-create user with email so they can be invited before signing up
+			user, err = h.Queries.CreateUser(r.Context(), db.CreateUserParams{
+				Name:  email,
+				Email: email,
+			})
+			if err != nil {
+				writeError(w, http.StatusInternalServerError, "failed to create user")
+				return
+			}
+		} else {
+			writeError(w, http.StatusInternalServerError, "failed to load user")
 			return
 		}
-		writeError(w, http.StatusInternalServerError, "failed to load user")
-		return
 	}
 
 	member, err := h.Queries.CreateMember(r.Context(), db.CreateMemberParams{