feat(organizations): always-create workspace + suggestedJoin hint (drop onboarding limbo) (#3680)

* feat(organizations): canonical email-domain normalization helper

* feat(organizations): always-create workspace + suggestedJoin hint, drop autoCreate footgun

Spec D5 — every signup provisions an active workspace. autoCreate config flag is a
deprecated no-op; no path returns organizationSetupRequired or pendingJoin.

- handleSignupOrganization: delete autoCreate:false footgun branch entirely; all enabled
  paths call createOrganizationForUser returning {organization, membership}.
- Domain-match branch: drop createJoinRequest+pendingJoin; return suggestedJoin:
  {orgId,orgName} name-only hint alongside the newly created workspace.
- Use A1 isPublicDomain for the public-domain gate (hardcoded list + config overrides).
- Naming: domainMatching+corporate domain → domain-based name; all other cases
  (domainMatching off, public domain) → "{firstName}'s organization".
- signupGrant: credited inside createOrganizationForUser, once per real new org,
  never double-credited. Preserved exactly from pre-A2.
- Auth controller: no change needed — uses ||false/||null fallbacks on removed keys.
- Test updates (required 0-failure): emailVerification, domainJoin E2E, auth signup
  integration + auth E2E updated to assert new always-create contract.
- New unit test: organizations.service.signup.unit.tests.js — all config combos,
  suggestedJoin shape (name-only), signupGrant credited once, createJoinRequest never.

* fix(organizations): remove dead imports + harden signup test mock isolation

- I1: remove unused MembershipService import and dead sanitizeOrg helper (both
  orphaned by A2); file is now lint-clean (no-unused-vars: 0)
- I2: replace clearAllMocks() with resetAllMocks() + explicit defaults in top-level
  beforeEach; prevents mockReturnValue leaking across describe blocks
- m1: hoist triple `orgConfig.domainMatching && !domainIsPublic` into const
  isCorporateDomain; used at all 3 call sites, behavior identical
- m2: reword misleading e2e comment on suggestedOrganization:null to state actual
  controller contract and reference A2b for wiring

* fix(organizations): normalize domain on write + exact-match read via canonical normalizeEmailDomain

replace extractDomain(user.email) with normalizeEmailDomain (A1) at the two signup
sites in handleSignupOrganization: the repository list query (read) and the domain
passed to createOrganizationForUser (write). both now use the single canonical
lowercased/trimmed/null-safe path from organizations.domain.js.

guard isCorporateDomain against null domain (malformed email → normalizeEmailDomain
returns null → treated as non-corporate, falls through to personal workspace).

extractDomain kept as exported public API for non-signup callers; not modified.

tests (A3): mixed-case write normalization, case-insensitive match, subdomain
non-match (eu.acme.com ≠ acme.com), public-domain gate with mixed-case email.

* refactor(organizations): drop dead extractDomain + simplify public-domain guard

Remove extractDomain (def + JSDoc + export entry) — fully superseded by
normalizeEmailDomain since A3; 0 callers in repo. Drop stale "kept for
non-signup callers" comment (was factually wrong). Simplify domainIsPublic
to `isPublicDomain(domain) || publicDomains.includes(domain ?? '')` —
normalizeEmailDomain guarantees a lowercased string or null, so the
redundant ?. chain is gone. Fix stale RED label in A3 test to describe
the canonical-normalization contract it actually asserts.

* fix(organizations): idempotent retry-safe signup provisioning (spec C1 / A4)

Add convergence guard in handleSignupOrganization: if the user already holds
an active membership (partial-failure retry scenario), return the existing
org+membership without calling createOrganizationForUser — preventing duplicate
workspaces and double-crediting signupGrant on retried signups.

Uses MembershipRepository.findOne({ userId, status: ACTIVE }) — same canonical
read as autoSetCurrentOrganization. Guard fires after the email-verification
early-return and before Case 1/Case 2 always-create paths. signupGrant stays
once-only because it lives inside createOrganizationForUser, which is skipped.

* refactor(organizations): dedupe signup result builder + lock email-verif ordering test

* feat(auth): forward suggestedJoin through signup HTTP response (A2b)

Controller now serializes `suggestedJoin: { orgId, orgName } | null`
from orgResult into the signup response body alongside the existing keys.
`suggestedOrganization` kept as always-null with deprecation comment
(additive — breaking removal deferred to next release).
TDD: two integration tests (shape assert + null path), auth 1579 / orgs 1469 green.

* fix(organizations): address CodeRabbit + Copilot review findings

- domain: reject multiple-@ malformed emails in normalizeEmailDomain
- service: JSDoc for buildResult @param/@returns (CR+Copilot)
- service: update @returns to reflect null org/membership on mailer path
- e2e: add explicit suggestedJoin assertion on domain-match signup path
- e2e: fix stale A2b comment (now shipped in this PR)
- unit: remove stale "RED" test-driven header comment
- unit: cover multiple-@ rejection in domain tests

Author: PierreBrisorgueil

modules/auth/controllers/auth.controller.js

@@ -144,7 +144,9 @@ const signup = async (req, res) => {
         abilities: orgResult.abilities || [],
         organizationSetupRequired: orgResult.organizationSetupRequired || false,
         emailVerificationRequired: orgResult.emailVerificationRequired || false,
+        // deprecated: always null since always-create (A2); superseded by suggestedJoin — remove next release
         suggestedOrganization: orgResult.suggestedOrganization || null,
+        suggestedJoin: orgResult.suggestedJoin || null,
         type: 'success',
         message: 'Sign up',
       });

modules/auth/tests/auth.e2e.tests.js

@@ -118,7 +118,9 @@ describe('Auth E2E tests:', () => {
       secondUser = null;
     });
 
-    test('should create pending join request when email domain matches existing org', async () => {
+    test('spec D5: second user with same domain gets own workspace + suggestedJoin (no pending join request)', async () => {
+      // Spec D5 always-create: domain-match no longer creates a pending join request.
+      // Both users get their own active workspace.
       config.organizations = { enabled: true, autoCreate: true, domainMatching: true };
 
       try {
@@ -139,7 +141,7 @@ describe('Auth E2E tests:', () => {
         expect(firstOrg).toBeDefined();
         expect(firstOrg.domain).toBe('e2etest.com');
 
-        // Step 2: signup second user with same domain
+        // Step 2: signup second user with same domain — gets own workspace (spec D5)
         const result2 = await agent
           .post('/api/auth/signup')
           .send({
@@ -153,26 +155,29 @@ describe('Auth E2E tests:', () => {
 
         secondUser = result2.body.user;
 
-        // Verify org is returned with pending flag
+        // Second user gets their OWN active workspace (not a join on firstOrg)
         expect(result2.body.organization).toBeDefined();
-        expect(result2.body.organization._id).toBe(firstOrg._id);
-        expect(result2.body.pendingJoin).toBe(true);
+        expect(result2.body.organization).not.toBeNull();
+        expect(result2.body.organization._id).not.toBe(firstOrg._id);
+        // pendingJoin is always false (spec D5)
+        expect(result2.body.pendingJoin).toBeFalsy();
 
-        // Verify second user has a PENDING membership (not active)
-        const pendingMemberships = await MembershipRepository.list({
+        // Second user has an ACTIVE membership on their new org (not pending on firstOrg)
+        const activeMemberships = await MembershipRepository.list({
           userId: secondUser.id,
-          organizationId: firstOrg._id,
-          status: 'pending',
+          organizationId: result2.body.organization._id,
+          status: 'active',
         });
-        expect(pendingMemberships).toHaveLength(1);
+        expect(activeMemberships).toHaveLength(1);
+        expect(activeMemberships[0].role).toBe('owner');
 
-        // Verify NO active membership
-        const activeMemberships = await MembershipRepository.list({
+        // NO pending membership on firstOrg (spec D5: no join request created)
+        const pendingOnFirst = await MembershipRepository.list({
           userId: secondUser.id,
           organizationId: firstOrg._id,
-          status: 'active',
+          status: 'pending',
         });
-        expect(activeMemberships).toHaveLength(0);
+        expect(pendingOnFirst).toHaveLength(0);
       } catch (err) {
         console.log(err);
         expect(err).toBeFalsy();

modules/auth/tests/auth.signup.organization.integration.tests.js

@@ -116,13 +116,13 @@ describe('Auth signup organization integration tests:', () => {
   });
 
   describe('Signup with organizations enabled + autoCreate + domainMatching', () => {
-    test('should create pending join request when domain matches existing org', async () => {
+    test('spec D5: second user with same domain gets own workspace + suggestedJoin hint (no pending request)', async () => {
+      // Spec D5 always-create: domain-match no longer creates a pending join request.
+      // Both users get their own active workspace; the second receives a suggestedJoin hint.
       config.organizations = { enabled: true, autoCreate: true, domainMatching: true };
 
-      // First, create an existing organization with a specific domain
       let firstUser;
       let secondUser;
-      // clean up stale users from previous runs on shared databases
       await purgeUser('first@matchdomain.com');
       await purgeUser('second@matchdomain.com');
       try {
@@ -143,7 +143,7 @@ describe('Auth signup organization integration tests:', () => {
         expect(firstOrg).toBeDefined();
         expect(firstOrg.domain).toBe('matchdomain.com');
 
-        // Sign up second user with same domain — should get pending join request
+        // Sign up second user with same domain — spec D5: gets own workspace, not a join request
         const result2 = await agent
           .post('/api/auth/signup')
           .send({
@@ -157,15 +157,29 @@ describe('Auth signup organization integration tests:', () => {
 
         secondUser = result2.body.user;
 
-        // Should reference the same org but with pending flag
+        // Second user gets their OWN active workspace, not a reference to firstOrg
         expect(result2.body.organization).toBeDefined();
-        expect(result2.body.organization._id).toBe(firstOrg._id);
-        expect(result2.body.pendingJoin).toBe(true);
-        expect(result2.body.organizationSetupRequired).toBe(false);
+        expect(result2.body.organization).not.toBeNull();
+        expect(result2.body.organization._id).not.toBe(firstOrg._id);
+        expect(result2.body.pendingJoin).toBeFalsy();
+        expect(result2.body.organizationSetupRequired).toBeFalsy();
 
-        // Abilities should be present (without org context)
+        // Abilities should be present (with org context — user is owner of their own org)
         expect(result2.body.abilities).toBeDefined();
         expect(result2.body.abilities).toBeInstanceOf(Array);
+
+        // A2b: suggestedJoin must be forwarded from the service through the controller response.
+        // Shape is name-only { orgId: string, orgName: string } — no extra keys (domain, size, etc.)
+        expect(result2.body.suggestedJoin).toBeDefined();
+        expect(result2.body.suggestedJoin).not.toBeNull();
+        expect(typeof result2.body.suggestedJoin.orgId).toBe('string');
+        expect(typeof result2.body.suggestedJoin.orgName).toBe('string');
+        expect(result2.body.suggestedJoin.orgId).toBe(String(firstOrg._id));
+        // name-only: no leaked fields
+        expect(result2.body.suggestedJoin).not.toHaveProperty('domain');
+        expect(result2.body.suggestedJoin).not.toHaveProperty('memberCount');
+        expect(result2.body.suggestedJoin).not.toHaveProperty('membership');
+        expect(result2.body.suggestedJoin).not.toHaveProperty('plan');
       } catch (err) {
         console.log(err);
         expect(err).toBeFalsy();
@@ -215,11 +229,10 @@ describe('Auth signup organization integration tests:', () => {
   });
 
   describe('Signup with organizations enabled + autoCreate + no domainMatching', () => {
-    test('should create a personal organization for the user', async () => {
+    test('should create a personal organization for the user (domainMatching off = personal name)', async () => {
       config.organizations = { enabled: true, autoCreate: true, domainMatching: false };
 
       let user;
-      // clean up stale users from previous runs on shared databases
       await purgeUser('personal@somecompany.com');
       try {
         const result = await agent
@@ -235,12 +248,12 @@ describe('Auth signup organization integration tests:', () => {
 
         user = result.body.user;
 
-        // A personal organization should be created (no domain matching)
+        // domainMatching off → personal workspace name regardless of domain
         expect(result.body.organization).toBeDefined();
         expect(result.body.organization).not.toBeNull();
         expect(result.body.organization.name).toBe("Personal's organization");
         expect(result.body.organization.domain).toBe('');
-        expect(result.body.organizationSetupRequired).toBe(false);
+        expect(result.body.organizationSetupRequired).toBeFalsy();
 
         // Abilities should be present
         expect(result.body.abilities).toBeDefined();
@@ -254,12 +267,13 @@ describe('Auth signup organization integration tests:', () => {
     });
   });
 
-  describe('Signup with organizations enabled + no autoCreate', () => {
-    test('should not create an organization and flag setup as required', async () => {
+  describe('Signup with organizations enabled + no autoCreate (spec D5: autoCreate is deprecated no-op)', () => {
+    test('spec D5: autoCreate:false is a no-op — workspace always provisioned', async () => {
+      // Spec D5: config.organizations.autoCreate is a deprecated no-op.
+      // Signup ALWAYS provisions a workspace; organizationSetupRequired is never returned.
       config.organizations = { enabled: true, autoCreate: false, domainMatching: true };
 
       let user;
-      // clean up stale users from previous runs on shared databases
       await purgeUser('manual@setup.com');
       try {
         const result = await agent
@@ -275,11 +289,13 @@ describe('Auth signup organization integration tests:', () => {
 
         user = result.body.user;
 
-        // No organization should be created
-        expect(result.body.organization).toBeNull();
-        expect(result.body.organizationSetupRequired).toBe(true);
+        // Workspace is always created now (spec D5)
+        expect(result.body.organization).not.toBeNull();
+        expect(result.body.organization).toBeDefined();
+        // organizationSetupRequired defaults to false (auth controller || false)
+        expect(result.body.organizationSetupRequired).toBeFalsy();
 
-        // Abilities should still be present (guest-level for org context)
+        // Abilities should be present (user is owner of their new workspace)
         expect(result.body.abilities).toBeDefined();
         expect(result.body.abilities).toBeInstanceOf(Array);
       } catch (err) {
@@ -312,14 +328,18 @@ describe('Auth signup organization integration tests:', () => {
 
         user = result.body.user;
 
-        // Verify response structure includes the new fields
+        // Verify response structure includes the expected fields
         expect(result.body).toHaveProperty('user');
         expect(result.body).toHaveProperty('organization');
         expect(result.body).toHaveProperty('abilities');
-        expect(result.body).toHaveProperty('organizationSetupRequired');
+        // organizationSetupRequired is always false (auth controller || false default)
+        expect(result.body.organizationSetupRequired).toBeFalsy();
         expect(result.body).toHaveProperty('tokenExpiresIn');
         expect(result.body.type).toBe('success');
         expect(result.body.message).toBe('Sign up');
+        // A2b: no domain match / orgs disabled → suggestedJoin is present-as-null (not absent)
+        expect(result.body).toHaveProperty('suggestedJoin');
+        expect(result.body.suggestedJoin).toBeNull();
       } catch (err) {
         console.log(err);
         expect(err).toBeFalsy();

modules/organizations/services/organizations.domain.js

@@ -0,0 +1,33 @@
+/**
+ * Email-domain normalization helpers.
+ *
+ * Maintained constant. Not auto-refreshed (spec H2 — freshness out of scope).
+ */
+
+export const PUBLIC_DOMAINS = new Set([
+  'gmail.com', 'googlemail.com', 'outlook.com', 'hotmail.com', 'live.com',
+  'yahoo.com', 'icloud.com', 'me.com', 'proton.me', 'protonmail.com',
+  'aol.com', 'gmx.com', 'mail.com', 'yandex.com', 'zoho.com',
+]);
+
+/**
+ * Extract and normalize the domain portion of an email address.
+ * @param {*} email - Raw value to parse.
+ * @returns {string|null} Lowercased, trimmed domain, or null on malformed input.
+ */
+export function normalizeEmailDomain(email) {
+  if (typeof email !== 'string') return null;
+  const at = email.indexOf('@');
+  if (at === -1 || at !== email.lastIndexOf('@')) return null;
+  const domain = email.slice(at + 1).trim().toLowerCase();
+  return domain.length > 0 && domain.includes('.') ? domain : null;
+}
+
+/**
+ * Return true when the domain belongs to a known public e-mail provider.
+ * @param {string} domain - Normalized or raw domain string.
+ * @returns {boolean}
+ */
+export function isPublicDomain(domain) {
+  return PUBLIC_DOMAINS.has(String(domain ?? '').trim().toLowerCase());
+}