03d420c984
All checks were successful
Build pitch-deck / build-push-deploy (push) Successful in 1m5s
CI / go-lint (push) Has been skipped
CI / python-lint (push) Has been skipped
CI / nodejs-lint (push) Has been skipped
CI / test-go-consent (push) Successful in 31s
CI / test-python-voice (push) Successful in 31s
CI / test-bqas (push) Successful in 31s
Investors who lost their session or whose invite token was already used can now enter their email on /auth to receive a fresh access link, without needing a manual re-invite from an admin. - New /api/auth/request-link endpoint looks up the investor by email, issues a new pitch_magic_links row, and emails the link via the existing sendMagicLinkEmail path. Response is generic regardless of whether the email exists (enumeration resistance) and silently no-ops for revoked investors. - Rate-limited both per-IP (authVerify preset) and per-email (magicLink preset, 3/hour — same ceiling as admin-invite/resend). - /auth page now renders an email form; submits to the new endpoint and shows a generic "if invited, link sent" confirmation. - Route-level tests cover validation, normalization, unknown email, revoked investor, and both rate-limit paths. - End-to-end regression test wires request-link + verify against an in-memory fake DB and asserts the full flow: original invite used → replay rejected → email submission → fresh link → verify succeeds. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>