feat(den): support Entra SSO auto-join

[pascalandr]

Summary

Isolates Entra SSO auto-join hardening: Microsoft provider env/config, profile mapping, auto-join membership helper, auth/org integration, and tests.

Verification

• bun test ee/apps/den-api/test/entra-sso.test.ts — passed, 14 tests.
• git diff --name-status upstream/dev...pr/entra-sso-auto-join reviewed; no tasks/**, docs/scrs/**, codemaps, or generated app-version included.

Known risks

• Full Den API build was not rerun on this branch; focused Entra tests passed.

Linked issues

• Helps fix [Question] Is it possible to use the program in an air-gapped network? #1413

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
openwork-landing	Ready	Preview, Comment, Open in v0	Jun 10, 2026 4:54pm

[vercel]

@pascalandr is attempting to deploy a commit to the Different AI Team on Vercel.

A member of the Team first needs to authorize it.

[cubic-dev-ai]

2 issues found across 6 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="ee/apps/den-api/src/orgs.ts">

<violation number="1" location="ee/apps/den-api/src/orgs.ts:650">
P2: Post-member-change hooks are skipped when an invitation is accepted via the placeholder-claim path. Claiming a placeholder member sets `createdMember = false`, so downstream hooks (provisioning, audit, seat tracking) never fire for this common invitation acceptance path. Previously hooks ran unconditionally after any invitation acceptance.</violation>
</file>

<sub>Reply with feedback, questions, or to request a fix.

Re-trigger cubic</sub>

[cubic-dev-ai]

P2: Post-member-change hooks are skipped when an invitation is accepted via the placeholder-claim path. Claiming a placeholder member sets createdMember = false, so downstream hooks (provisioning, audit, seat tracking) never fire for this common invitation acceptance path. Previously hooks ran unconditionally after any invitation acceptance.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At ee/apps/den-api/src/orgs.ts, line 650:

<comment>Post-member-change hooks are skipped when an invitation is accepted via the placeholder-claim path. Claiming a placeholder member sets `createdMember = false`, so downstream hooks (provisioning, audit, seat tracking) never fire for this common invitation acceptance path. Previously hooks ran unconditionally after any invitation acceptance.</comment>

<file context>
@@ -514,20 +646,17 @@ export async function acceptInvitationForUser(input: {
-  const member = await acceptInvitation(invitation, input.userId)
-  await runPostOrganizationMemberChangeHooks({ organizationId: invitation.organizationId, memberId: member.id, change: "added" })
+  const accepted = await acceptInvitation(invitation, input.userId)
+  if (accepted.createdMember) {
+    await runPostOrganizationMemberChangeHooks({ organizationId: invitation.organizationId, memberId: accepted.member.id, change: "added" })
+  }
</file context>

[pascalandr]

Thanks — cubic correctly identified that the acceptance transition must run the post-member-change hooks. I tightened this in da92d43: placeholder invite creation no longer fires member-added hooks, and the placeholder-claim acceptance path still sets createdMember so provisioning/audit/seat hooks run exactly on acceptance. Regression: bun test --conditions development ee/apps/den-api/test/org-invitation-lifecycle.test.ts (4 pass). Typecheck: pnpm --filter @openwork-ee/den-api exec tsc --noEmit.

[pascalandr]

Superseded by the clean replacement PR #2174.