WPB-26291 prevent SCIM user change name on registration

[battermann]

It is debatable if we need a new API version. I don't like it but it was agreed upon in the scope's chat because the change is not backwards compatible.

https://wearezeta.atlassian.net/browse/WPB-26291

Checklist

• Add a new entry in an appropriate subdirectory of changelog.d
• Read and follow the PR guidelines

[Copilot]

Pull request overview

This PR enforces that SCIM-managed invited users cannot change their display name during registration (server-side), while maintaining backwards compatibility by introducing a version-gated /register behavior split (v16 vs v17+). It also enriches the team invitation info response to optionally expose managed_by, and updates golden + integration tests and changelog accordingly.

Changes:

• Add a v17+ registration guard that rejects SCIM display-name changes during POST /register (new 403 managed-by-scim case), while keeping pre-v17 behavior via register@v16.
• Extend GET /teams/invitations/info?code=... response with optional managed_by and wire it through Brig.
• Update golden fixtures and integration tests to cover SCIM invitation info and registration behavior.

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
services/brig/src/Brig/Team/API.hs	Adds managedBy to invitation info responses by looking up a pending user derived from invitation id.
services/brig/src/Brig/Data/User.hs	Introduces invitationIdToUserId helper for SCIM/pending-invitation user id derivation.
services/brig/src/Brig/API/User.hs	Adds SCIM display-name guard and splits registration into v16 vs v17+ implementations.
services/brig/src/Brig/API/Public.hs	Wires register@v16 and register handlers to the new Brig registration functions.
libs/wire-api/src/Wire/API/User.hs	Extends RegisterError union with the new SCIM display-name mismatch case.
libs/wire-api/src/Wire/API/Team/Invitation.hs	Adds optional managed_by field to InvitationUserView schema/JSON.
libs/wire-api/src/Wire/API/Routes/Public/Brig.hs	Adds version-gated register@v16 endpoint and gates register from v17.
libs/wire-api/test/golden/testObject_InvitationUserView_team_1.json	Updates golden JSON to include managed_by.
libs/wire-api/test/golden/testObject_InvitationUserView_team_2.json	Updates golden JSON to include managed_by.
libs/wire-api/test/golden/Test/Wire/API/Golden/Manual/InvitationUserView.hs	Updates golden Haskell objects to populate managedBy.
integration/test/Test/Teams.hs	Adds assertion that non-SCIM invitation info omits managed_by.
integration/test/Test/Spar.hs	Adds SCIM registration test asserting name change is rejected with managed-by-scim.
integration/test/SetupHelpers.hs	Adjusts invited-user registration helper to reuse invitation-provided name (SCIM-safe).
integration/test/API/Brig.hs	Adds registerUserWith to support name-parametrized registration in tests.
changelog.d/3-bug-fixes/WPB-26291	Documents bug fix for SCIM name changes on registration.
changelog.d/1-api-changes/WPB-26291	Documents API change (new error for v17+, optional managed_by on invitation info).

[Copilot]

Pull request overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.