External New User Organization Journey

Verified walkthrough from an unauthenticated external user through magic-link sign-in, default workspace entry, organization creation, logo upload, domain setup, and organization settings.

Issue #729 Recorded 2026-07-05 Real Worker auth + org handlers Miniflare D1 + captured Email binding

Video Walkthrough

The video starts signed out at /login. The magic link is generated by worker/auth.ts, captured by the test Email binding, then opened the same way an email recipient would open it.

State Graph

Signed OutBrowser opens Tegy with no session and sees the email login screen.
Magic Link SentExternal email is authorized by the invite-list bootstrap path and receives a real auth link.
Session CreatedThe verify endpoint consumes the token, creates auth_users and auth_sessions, and redirects to Tegy.
Organization SetupUser enters organization name, allowed domains, and uploads a logo.
Active OrganizationCreated org becomes active and organization settings show the configured workspace.

Login

Signed-out login screen
Unauthenticated external user starts at Tegy login.

Email Link

Magic-link sent confirmation
The app confirms that a sign-in link was sent.

Default Workspace

Default workspace after magic-link verification
The verified user reaches the default workspace and can set up an organization.

Setup Form

Organization setup form filled out
Organization name, allowed domains, and logo are filled before submit.

Final State

Organization settings final state
The created organization is active and visible in organization settings.

Video Review

Contact sheet generated from the final MP4 and reviewed after recording.

Contact sheet for the external new user organization journey video

Evidence Boundary

  • No auth session was stubbed into the UI; /api/auth/session is served by the Worker auth handler.
  • The magic-link token is produced and consumed by worker/auth.ts.
  • Organization creation, logo persistence, domain storage, and active-org preference use worker/collaboration.ts.
  • The harness authorizes alex@northstar.test through the existing invite-list bootstrap path. Opening public self-serve signup for any email remains a separate production decision.