Add team management endpoints

- Three-role model (owner/admin/member) with owner protection invariants
- Team CRUD: create, rename (admin+), soft-delete with VM cleanup (owner only)
- Member management: add by email, remove, role updates (admin+), leave
- Switch-team endpoint re-issues JWT after DB membership verification
- User email prefix search for add-member UI autocomplete
- JWT carries role as a hint; all authorization decisions verified from DB
- Team slug: immutable 12-char hex (e.g. a1b2c3-d1e2f3), reserved on soft-delete
- Migration adds slug + deleted_at to teams; backfills existing rows

internal/id/id.go

@@ -34,6 +34,16 @@ func NewTeamID() string {
 	return "team-" + hex8()
 }
 
+// NewTeamSlug generates a unique team slug in the format "xxxxxx-yyyyyy"
+// where each part is 3 random bytes encoded as hex (6 hex chars each).
+func NewTeamSlug() string {
+	b := make([]byte, 6)
+	if _, err := rand.Read(b); err != nil {
+		panic(fmt.Sprintf("crypto/rand failed: %v", err))
+	}
+	return hex.EncodeToString(b[:3]) + "-" + hex.EncodeToString(b[3:])
+}
+
 // NewAPIKeyID generates a new API key ID in the format "key-" + 8 hex chars.
 func NewAPIKeyID() string {
 	return "key-" + hex8()