Invite Acceptance Flow

Support reference for the public invite page: `/invite/[code]`.

For shared login/session bootstrap behavior outside the invite-specific UX, see auth-and-session.md.

- `GET /api/invites/{code}` - `GET /api/invites/{code}/accept` - `GET /api/auth/google` - `GET /api/auth/google/callback`

- The page waits for auth bootstrap, then loads `GET /api/invites/{code}`. - The invite code comes from the route param first and falls back to `?code=...`. - Backend returns one of: - `ready_to_accept` - `already_in_organization` - `not_found` - The response includes organization `id`, `name`, and `description` when the invite exists. - If the route has no code, the frontend shows `Invalid invite code` and redirects to `/login`.

- A guest with a valid pending invite sees the organization details and `Sign in with Google`. - The page sends Google OAuth state as `{"inviteCode":"<code>"}`. - The guest view warns that signing in will automatically accept the invite. - In the Google callback, if `inviteCode` is present, the backend immediately tries to accept the invite before returning a redirect. - Successful invite-based sign-in redirects to `/`. - If callback-time acceptance fails, the callback redirects back to `/invite/{code}`. - New invited users skip the non-invite onboarding redirect and still land on `/` after acceptance.

- An authenticated user with `ready_to_accept` sees the signed-in account plus `Accept Invite`. - `Accept Invite` calls `GET /api/invites/{code}/accept`. - On success, the frontend refetches the user and follows the backend `redirectUrl`. - The current accept processor returns `/` with message `Invite accepted successfully`. - On accept failure, the page shows the backend/frontend error toast and reloads invite state. - Accepting an invite can restore a previously deleted membership and switches the user's `current_organization_id` to the invited organization.

- If the signed-in user already has membership in the invited organization, `GET /api/invites/{code}` returns `already_in_organization`. - The page shows `Already a member`, hides the accept button, and offers `Go to Dashboard` and `Log out`. - `Go to Dashboard` routes to `/`.

- The page renders the not-found view when invite status is `not_found`. - In current backend logic, `status: not_found` covers invites that exist but are expired, cancelled, or already accepted. - A completely unknown invite code returns HTTP 404 from `GET /api/invites/{code}`. - The frontend currently handles both `status: not_found` and failed invite lookups by rendering `InviteNotFound`. - When the lookup fails at HTTP/request level, the frontend also shows an error toast and schedules a redirect to `/login` after 3 seconds. - The accept processor can return these verified errors: - `Invite not found` - `Invite is not pending` - `Invite has expired` - `User is already in this organization`

- Invite acceptance currently does not enforce that the signed-in Google email matches the invite email. - Invite links can be created either with an email address or as shareable links with `email: null`; both land on the same public `/invite/[code]` page. - Invite-based sign-up does not run the normal non-invite onboarding redirect. New users coming through an invite are redirected to `/` after acceptance. - For invite creation, resend, cancel, and Staff-area context, see staff.md.