public function handle($request, Closure $next)
{
    $user = $request->user();
    if (!$user) return $next($request);

    if ($user->isSuperadmin()) {
        return $next($request);
    }

    if (!$user->tenant || !$user->tenant->active) {
        Auth::logout();
        abort(403, 'Tenant inactive');
    }

    return $next($request);
}