Configurable sign-up policy (invite-only / domain allowlist / open)

[ryw]

Problem

Sign-up is currently hardwired to invite-only (the closed-instance gate in web/src/lib/auth.ts — databaseHooks.user.create.before rejects anyone who isn't an instance admin or doesn't have a pending invite). There's no way for an operator to open the instance up, or to allow an email-domain instead of explicit invites.

Self-hosters will want this control to vary by deployment (a personal instance vs. a company-wide one vs. a public demo).

Proposal

An instance-admin sign-up policy setting, backed by instance_settings (the substrate from #32, now shipped):

• invite-only (current behavior, default) — only instance admins or holders of a pending invite may create an account.
• email-domain allowlist — anyone whose verified email matches a configured domain (e.g. @acme.com) may self-join; others are rejected.
• open — anyone who can authenticate may create an account.

The check lives in the existing user.create.before hook; it reads the policy from instance_settings and branches instead of the hardcoded invite-only rule.

Acceptance criteria

• Policy stored in instance_settings, instance-admin-gated on write, with env fallback (default invite-only so existing instances are unchanged).
• user.create.before enforces the selected policy (invite-only / domain-allowlist / open).
• Domain-allowlist matches on the verified email domain only.
• A control on the instance /settings surface to set it.

Related

• Instance settings interface (deployment-level config) #32 — instance settings interface (delivered the instance_settings substrate + instance-admin gate; this was its last open item).
• Send emails on member invite #31 — member-invite emails (invites are the other half of invite-only).