BE-572: User email management improvements

[CiaranMn]

🌟 What is the purpose of this PR?

Security hardening:

1. Disable Kratos self-service profile updates (stop users updating their own traits, which should be managed via our API)
2. Check for email verification status when taking actions that should require it (e.g. to do with org invites)

Plus cleaning up some function arguments that weren't being used.

Pre-Merge Checklist 🚀

🚢 Has this modified a publishable library?

This PR:

• does not modify any publishable blocks or libraries, or modifications do not need publishing

📜 Does this require a change to the docs?

The changes in this PR:

• are internal and do not require a docs change

🕸️ Does this require a change to the Turbo Graph?

The changes in this PR:

• do not affect the execution graph

🛡 What tests cover this?

• Existing tests to do with signing up / in.
• Additional test added to check users cannot update traits via Kratos selfservice.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

3 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hash	Ignored	Preview	May 20, 2026 5:24pm
hashdotdesign-tokens	Ignored	Preview	May 20, 2026 5:24pm
petrinaut	Skipped		May 20, 2026 5:24pm

[cursor]

PR Summary

Medium Risk
Tightens signup and org-invitation authorization around verified emails and changes userHasAccessToHash to return structured results; mistakes could block legitimate users from completing signup or accepting/declining invites.

Overview
Hardens identity/email security around Kratos and org invites. Kratos self-service profile settings are disabled so users can’t mutate identity traits (emails) outside HASH-controlled flows, and a new integration test asserts attempts to update profile traits are rejected.

Email verification is now treated as an explicit authorization signal: org invitation accept/decline checks match against getUserVerifiedEmails() (Kratos verifiable_addresses) rather than user.emails, and incomplete-user signup completion now enforces verification of the specific allow-listed email(s) when access is granted via USER_EMAIL_ALLOW_LIST.

Separately, userHasAccessToHash now returns { allowed, onlyForEmails } and getUser lookup is narrowed to stable identifiers (removing email-only lookup), with inviteUserToOrg using a new checkEmailVerificationAndUsageStatus() Kratos lookup + email normalization.

^{Reviewed by Cursor Bugbot for commit 03ad748. Bugbot is set up for automated code reviews on this repo. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: This PR hardens user email management by tightening how email verification is used for authorization-sensitive flows and by preventing direct mutation of Kratos identity traits.

Changes:

• Disabled Kratos self-service profile settings flow to stop users updating identity traits directly.
• Added helpers to derive verified email addresses from Kratos identities and reused them across the API.
• Updated org invitation accept/decline flows to require that invitations-by-email match a user’s verified email addresses.
• Updated org invite creation to check whether a target email is in use and verified before resolving an existing user.
• Refactored getUser to accept stable identifiers only (entityId/shortname/kratosIdentityId) and always source emails from Kratos.
• Adjusted userHasAccessToHash to return structured results and to surface allow-list email matches for later verification checks.
• Added an integration test ensuring Kratos profile trait updates via settings flows are rejected.

Technical Notes: Email verification is now treated as an authorization signal for certain actions (e.g., org invite flows), and email trait reads are centralized around Kratos verifiable addresses.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 49 lines in your changes missing coverage. Please review.
✅ Project coverage is 62.71%. Comparing base (56860d0) to head (5f099ca).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
.../hash-api/src/graph/knowledge/system-types/user.ts	0.00%	13 Missing ⚠️
...y-hooks/user-before-update-entity-hook-callback.ts	0.00%	8 Missing ⚠️
...phql/resolvers/knowledge/org/invite-user-to-org.ts	0.00%	8 Missing ⚠️
...pps/hash-api/src/shared/user-has-access-to-hash.ts	0.00%	8 Missing ⚠️
apps/hash-api/src/auth/ory-kratos.ts	0.00%	6 Missing ⚠️
...l/resolvers/knowledge/org/accept-org-invitation.ts	0.00%	2 Missing ⚠️
.../resolvers/knowledge/org/decline-org-invitation.ts	0.00%	2 Missing ⚠️
...hql/resolvers/knowledge/user/has-access-to-hash.ts	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8735      +/-   ##
==========================================
- Coverage   62.72%   62.71%   -0.02%     
==========================================
  Files        1363     1363              
  Lines      139062   139087      +25     
  Branches     5818     5825       +7     
==========================================
  Hits        87225    87225              
- Misses      50921    50946      +25     
  Partials      916      916              

Flag	Coverage Δ
apps.hash-api	0.00% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

See the output of git range-diff at https://github.com/hashintel/hash/actions/runs/26175332934

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 8974830. Configure here.}

See the output of git range-diff at https://github.com/hashintel/hash/actions/runs/26176310603