- Store-level suite over BOTH backends (SQLite + JetStream KV): golden redeem,
single-use rejection, unknown token, expired token (forced past), cancel, and
hard-delete. Plus the burn-on-claim edge (redeem with an already-registered
key spends the invite and returns ErrUserExists on both backends).
- HTTP suite: admin mints an invite, a brand-new identity redeems it UNSIGNED
via /register, the user appears in the allowlist, a second redeem is 409,
expired is 410, malformed keys are 400, a non-admin is 403 on all four admin
routes, and DELETE /users purges (vs revoke's status flip).
- Client end-to-end: admin mints an invite, an unregistered joiner redeems it
without any admin signature, appears in the allowlist, then is hard-deleted.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
egutierrez
52c80ac010