🎯 Decouple invitations from organizations (referral-ready platform invitations)

[PierreBrisorgueil]

Epic — Decouple invitations from organizations (referral-ready)

Two invitation systems were colliding: the platform signup-gate (#3715, beta invite-only) and org membership email-invite. We fully decouple them.

Model: "invite a contact to the platform" (token + invitedBy + beta-gate eligibility) becomes a standalone optional invitations module depending only on auth. org becomes roster-of-existing-accounts only (add/roles/remove + join-requests). invitations ⊥ org — they communicate via userId. Referral (#5) is schema-ready (invitedBy + invitation.accepted event), credit-grant logic deferred.

Spec: infra/docs/superpowers/specs/2026-06-09-invitations-org-decouple-design.md
Plan: infra/docs/superpowers/plans/2026-06-09-invitations-org-decouple.md (audited on 4 axes + a Codex second-opinion pass folded in)

⚠️ Ordering constraint: Phase 1 (land #3715 byte-identical to Trawl's deployed state) MUST merge before Phase 2 (module extraction), otherwise the next Trawl /update-stack produces a 3-way conflict on auth.controller.js.

Locked decisions: no auto-verify of invite-created accounts · lowercase + case-insensitive unique index on users.email · cap TOCTOU overshoot accepted + documented · add-to-org → PENDING with source:'owner_add' (E15 — never confused with a join-request) + persistent pending-list in Account + transient snackbar.

Phases (each = its own PR via /feature → /verify → /dev:verify-qa → /dev:pull-request-finalize):

• P1 — Land feat(auth): invite-only / capped signup gate #3715 signup-gate on master (byte-identical) · Node
• P2 — Extract invitations module + eligibility-hook inversion (E13 query token) · Node
• P3 — Edge-case hardening (E2 two-phase claim, E3 CI email index, E6 no auto-verify, E8 soft-revoke, E9) · Node
• P4 — Remove org email-invite (Node) + migration (org-owned) · Node
• P5a — org.addMember(userId) + source discriminator + consent · Node
• P5b — Org add-member UI + persistent pending-invitations list + snackbar · Vue
• P6 — invitations Vue module + account/admin tabs + gap-fixes · Vue
• P7 — Remove org email-invite (Vue) · Vue
• P8a — Referral hook backend (referredBy schema + invitation.accepted) · Node
• P8b — Referrals account view scaffold · Vue
• P9 — Propagate downstream + run prod migrations (Trawl) · downstream

Sub-issues are linked below and tracked by the Sub-issues progress bar.

---

🛑 Fable review corrections (2026-06-10, code-verified vs origin/master)

• 🛑 feat(auth): invite-only / capped signup gate #3715 is ALREADY MERGED on origin/master (the spec/plan were authored from a local checkout 115 commits behind). f0e7a83c is an ancestor; all modules/auth/**/*invitation* + auth.signupCapacity.js + gate hunks are present; trawl_node master auth.controller.js is hash-identical. → P1 (🔧 Land #3715 signup-gate on master (byte-identical) #3809) collapses to a verify-no-op. The "Node backend not on master / front-ahead-of-back" premise is FALSE.
• 🔴 Casing bug across P5a: membership status is stored lowercase (PENDING:'pending'); any === 'PENDING' check (incl. the prescribed pre('validate') consent guard) is INERT — use the MEMBERSHIP_STATUSES.PENDING constant everywhere.
• 🔴 P2 must ship a /api/auth/invitations deprecation alias kept until P6 repoints the Vue store (else the live admin tab breaks for ~4 PRs).
• Before executing ANY phase: git fetch && git checkout origin/master and re-derive file/line refs (local tree is stale; org signup-join flow was reworked — domain-match auto-join removed → suggestedJoin).