Plan — 072 Managed Tenants workspace context enforcement

Tech

Treat /admin/w/{workspace}/... as the portfolio / workspace entry space.
Move Managed Tenants list/onboarding UX to workspace-scoped routes.
Make /admin/managed-tenants/* legacy-only (redirect to the correct workspace-scoped URL).
Enforce workspace/tenant consistency for all /admin/t/{tenant} routes (deny-as-not-found on mismatch).

Workspace is not Filament tenancy; it remains session + middleware.
Hard enforcement is implemented in middleware that runs on tenant-scoped routes.
Prefer redirects over removing routes immediately, to avoid breaking deep links, but ensure they are no longer primary UX.

routes/web.php
app/Providers/Filament/AdminPanelProvider.php
app/Http/Middleware/EnsureWorkspaceSelected.php
app/Support/Middleware/DenyNonMemberTenantAccess.php (or EnsureFilamentTenantSelected.php, depending on existing enforcement location)
app/Filament/Pages/ManagedTenants/* (legacy redirects / removal)
New/updated workspace landing page under app/Filament/Pages/Workspaces/* (or equivalent)
Pest tests in tests/Feature/Routing/ or tests/Feature/Filament/

Feature test: /admin/managed-tenants redirects to /admin/w/{workspace}/managed-tenants when workspace is selected.
Feature test: /admin/t/{tenant} returns 404 when workspace context missing.
Feature test: /admin/t/{tenant} returns 404 when tenant.workspace_id != current workspace.
Optional: workspace landing lists only workspace tenants.