feat: self-service sign-up with email verification and onboarding

Complete sign-up pipeline: email registration via Logto Experience API,
SMTP email verification, and self-service trial tenant creation.

Layer 1 — Logto config:
- Bootstrap Phase 8b: SMTP email connector with branded HTML templates
- Bootstrap Phase 8c: enable SignInAndRegister (email+password sign-up)
- Dockerfile installs official Logto connectors (ensures SMTP available)
- SMTP env vars in docker-compose, installer templates, .env.example

Layer 2 — Experience API (ui/sign-in/experience-api.ts):
- Registration flow: initRegistration → sendVerificationCode → verifyCode
  → addProfile (password) → identifyUser → submit
- Sign-in auto-detects email vs username identifier

Layer 3 — Custom sign-in UI (ui/sign-in/SignInPage.tsx):
- Three-mode state machine: signIn / register / verifyCode
- Reads first_screen=register from URL query params
- Toggle links between sign-in and register views

Layer 4 — Post-registration onboarding:
- OnboardingService: reuses VendorTenantService.createAndProvision(),
  adds calling user to Logto org as owner, enforces one trial per user
- OnboardingController: POST /api/onboarding/tenant (authenticated only)
- OnboardingPage.tsx: org name + auto-slug form
- LandingRedirect: detects zero orgs → redirects to /onboarding
- RegisterPage.tsx: /platform/register initiates OIDC with firstScreen

Installers (install.sh + install.ps1):
- Both prompt for SMTP config in SaaS mode
- CLI args, env var capture, cameleer.conf persistence

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

installer/CLAUDE.md

@@ -23,10 +23,19 @@ The installer uses static docker-compose templates in `installer/templates/`. Te
 - `docker-compose.tls.yml` — overlay: custom TLS cert volume
 - `docker-compose.monitoring.yml` — overlay: external monitoring network
 
+## SMTP configuration
+
+Both installers (`install.sh` and `install.ps1`) prompt for SMTP settings in SaaS mode when the user opts in ("Configure SMTP for email verification?"). SMTP is required for self-service sign-up — without it, only admin-created users can sign in.
+
+Env vars: `SMTP_HOST`, `SMTP_PORT` (default 587), `SMTP_USER`, `SMTP_PASS`, `SMTP_FROM_EMAIL` (default `noreply@<PUBLIC_HOST>`). Passed to the `cameleer-logto` container. The bootstrap script (Phase 8b) discovers the SMTP connector factory and creates the connector with Cameleer-branded email templates.
+
+CLI args: `--smtp-host`, `--smtp-port`, `--smtp-user`, `--smtp-pass`, `--smtp-from-email` (bash) / `-SmtpHost`, `-SmtpPort`, `-SmtpUser`, `-SmtpPass`, `-SmtpFromEmail` (PS1). Persisted in `cameleer.conf` for upgrades/reconfigure.
+
 ## Env var naming convention
 
 - `CAMELEER_AGENT_*` — agent config (consumed by the Java agent)
 - `CAMELEER_SERVER_*` — server config (consumed by cameleer-server)
 - `CAMELEER_SAAS_*` — SaaS management plane config
 - `CAMELEER_SAAS_PROVISIONING_*` — "SaaS forwards this to provisioned tenant servers"
+- `SMTP_*` — email delivery config for Logto (consumed by bootstrap, SaaS mode only)
 - No prefix (e.g. `POSTGRES_PASSWORD`, `PUBLIC_HOST`) — shared infrastructure, consumed by multiple components

installer/install.ps1

@@ -37,6 +37,11 @@ param(
     [string]$DockerSocket,
     [string]$NodeTlsReject,
     [string]$DeploymentMode,
+    [string]$SmtpHost,
+    [string]$SmtpPort,
+    [string]$SmtpUser,
+    [string]$SmtpPass,
+    [string]$SmtpFromEmail,
     [switch]$Reconfigure,
     [switch]$Reinstall,
     [switch]$ConfirmDestroy,
@@ -84,6 +89,11 @@ $_ENV_COMPOSE_PROJECT       = $env:COMPOSE_PROJECT
 $_ENV_DOCKER_SOCKET         = $env:DOCKER_SOCKET
 $_ENV_NODE_TLS_REJECT       = $env:NODE_TLS_REJECT
 $_ENV_DEPLOYMENT_MODE       = $env:DEPLOYMENT_MODE
+$_ENV_SMTP_HOST             = $env:SMTP_HOST
+$_ENV_SMTP_PORT             = $env:SMTP_PORT
+$_ENV_SMTP_USER             = $env:SMTP_USER
+$_ENV_SMTP_PASS             = $env:SMTP_PASS
+$_ENV_SMTP_FROM_EMAIL       = $env:SMTP_FROM_EMAIL
 
 # --- Mutable config state ---
 
@@ -110,6 +120,11 @@ $script:cfg = @{
     DockerSocket        = $DockerSocket
     NodeTlsReject       = $NodeTlsReject
     DeploymentMode      = $DeploymentMode
+    SmtpHost            = $SmtpHost
+    SmtpPort            = $SmtpPort
+    SmtpUser            = $SmtpUser
+    SmtpPass            = $SmtpPass
+    SmtpFromEmail       = $SmtpFromEmail
 }
 
 if ($Silent)      { $script:Mode = 'silent' }
@@ -260,6 +275,11 @@ function Load-ConfigFile {
                 'docker_socket'         { if (-not $script:cfg.DockerSocket)         { $script:cfg.DockerSocket         = $val } }
                 'node_tls_reject'       { if (-not $script:cfg.NodeTlsReject)        { $script:cfg.NodeTlsReject        = $val } }
                 'deployment_mode'       { if (-not $script:cfg.DeploymentMode)       { $script:cfg.DeploymentMode       = $val } }
+                'smtp_host'             { if (-not $script:cfg.SmtpHost)             { $script:cfg.SmtpHost             = $val } }
+                'smtp_port'             { if (-not $script:cfg.SmtpPort)             { $script:cfg.SmtpPort             = $val } }
+                'smtp_user'             { if (-not $script:cfg.SmtpUser)             { $script:cfg.SmtpUser             = $val } }
+                'smtp_pass'             { if (-not $script:cfg.SmtpPass)             { $script:cfg.SmtpPass             = $val } }
+                'smtp_from_email'       { if (-not $script:cfg.SmtpFromEmail)        { $script:cfg.SmtpFromEmail        = $val } }
             }
         }
     }
@@ -289,6 +309,11 @@ function Load-EnvOverrides {
     if (-not $c.DockerSocket)        { $c.DockerSocket        = $_ENV_DOCKER_SOCKET }
     if (-not $c.NodeTlsReject)       { $c.NodeTlsReject       = $_ENV_NODE_TLS_REJECT }
     if (-not $c.DeploymentMode)      { $c.DeploymentMode      = $_ENV_DEPLOYMENT_MODE }
+    if (-not $c.SmtpHost)            { $c.SmtpHost            = $_ENV_SMTP_HOST }
+    if (-not $c.SmtpPort)            { $c.SmtpPort            = $_ENV_SMTP_PORT }
+    if (-not $c.SmtpUser)            { $c.SmtpUser            = $_ENV_SMTP_USER }
+    if (-not $c.SmtpPass)            { $c.SmtpPass            = $_ENV_SMTP_PASS }
+    if (-not $c.SmtpFromEmail)       { $c.SmtpFromEmail       = $_ENV_SMTP_FROM_EMAIL }
 }
  
 # --- Prerequisites ---
@@ -447,6 +472,18 @@ function Run-SimplePrompts {
     Write-Host ''
     $deployChoice = Read-Host '  Select mode [1]'
     if ($deployChoice -eq '2') { $c.DeploymentMode = 'standalone' } else { $c.DeploymentMode = 'saas' }
+
+    # SMTP for email verification (SaaS mode only)
+    if ($c.DeploymentMode -eq 'saas') {
+        Write-Host ''
+        if (Prompt-YesNo 'Configure SMTP for email verification? (required for self-service sign-up)') {
+            $c.SmtpHost      = Prompt-Value 'SMTP host' (Coalesce $c.SmtpHost '')
+            $c.SmtpPort      = Prompt-Value 'SMTP port' (Coalesce $c.SmtpPort '587')
+            $c.SmtpUser      = Prompt-Value 'SMTP username' (Coalesce $c.SmtpUser '')
+            $c.SmtpPass      = Prompt-Password 'SMTP password' (Coalesce $c.SmtpPass '')
+            $c.SmtpFromEmail = Prompt-Value 'From email address' (Coalesce $c.SmtpFromEmail "noreply@$($c.PublicHost)")
+        }
+    }
 }
  
 function Run-ExpertPrompts {
@@ -688,6 +725,13 @@ CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:$(
 
 # JWT signing secret (forwarded to provisioned tenant servers, must be non-empty)
 CAMELEER_SERVER_SECURITY_JWTSECRET=$jwtSecret
+
+# SMTP (for email verification during registration)
+SMTP_HOST=$($c.SmtpHost)
+SMTP_PORT=$(if ($c.SmtpPort) { $c.SmtpPort } else { '587' })
+SMTP_USER=$($c.SmtpUser)
+SMTP_PASS=$($c.SmtpPass)
+SMTP_FROM_EMAIL=$(if ($c.SmtpFromEmail) { $c.SmtpFromEmail } else { "noreply@$($c.PublicHost)" })
 "@
         $content += $provisioningBlock
         $composeFile = 'docker-compose.yml;docker-compose.saas.yml'
@@ -915,6 +959,11 @@ compose_project=$($c.ComposeProject)
 docker_socket=$($c.DockerSocket)
 node_tls_reject=$($c.NodeTlsReject)
 deployment_mode=$($c.DeploymentMode)
+smtp_host=$($c.SmtpHost)
+smtp_port=$($c.SmtpPort)
+smtp_user=$($c.SmtpUser)
+smtp_pass=$($c.SmtpPass)
+smtp_from_email=$($c.SmtpFromEmail)
 "@
     Write-Utf8File $f $txt
     Log-Info 'Saved installer config to cameleer.conf'

installer/install.sh

@@ -46,6 +46,11 @@ _ENV_COMPOSE_PROJECT="${COMPOSE_PROJECT:-}"
 _ENV_DOCKER_SOCKET="${DOCKER_SOCKET:-}"
 _ENV_NODE_TLS_REJECT="${NODE_TLS_REJECT:-}"
 _ENV_DEPLOYMENT_MODE="${DEPLOYMENT_MODE:-}"
+_ENV_SMTP_HOST="${SMTP_HOST:-}"
+_ENV_SMTP_PORT="${SMTP_PORT:-}"
+_ENV_SMTP_USER="${SMTP_USER:-}"
+_ENV_SMTP_PASS="${SMTP_PASS:-}"
+_ENV_SMTP_FROM_EMAIL="${SMTP_FROM_EMAIL:-}"
 
 INSTALL_DIR=""
 PUBLIC_HOST=""
@@ -69,6 +74,11 @@ COMPOSE_PROJECT=""
 DOCKER_SOCKET=""
 NODE_TLS_REJECT=""
 DEPLOYMENT_MODE=""
+SMTP_HOST=""
+SMTP_PORT=""
+SMTP_USER=""
+SMTP_PASS=""
+SMTP_FROM_EMAIL=""
 
 # --- State ---
 MODE=""  # simple, expert, silent
@@ -170,6 +180,11 @@ parse_args() {
       --docker-socket)    DOCKER_SOCKET="$2"; shift ;;
       --node-tls-reject)  NODE_TLS_REJECT="$2"; shift ;;
       --deployment-mode)  DEPLOYMENT_MODE="$2"; shift ;;
+      --smtp-host)         SMTP_HOST="$2"; shift ;;
+      --smtp-port)         SMTP_PORT="$2"; shift ;;
+      --smtp-user)         SMTP_USER="$2"; shift ;;
+      --smtp-pass)         SMTP_PASS="$2"; shift ;;
+      --smtp-from-email)   SMTP_FROM_EMAIL="$2"; shift ;;
       --server-admin-user)     ADMIN_USER="$2"; shift ;;
       --server-admin-password) ADMIN_PASS="$2"; shift ;;
       --reconfigure)      RERUN_ACTION="reconfigure" ;;
@@ -255,6 +270,11 @@ load_config_file() {
       docker_socket)        [ -z "$DOCKER_SOCKET" ] && DOCKER_SOCKET="$value" ;;
       node_tls_reject)      [ -z "$NODE_TLS_REJECT" ] && NODE_TLS_REJECT="$value" ;;
       deployment_mode)      [ -z "$DEPLOYMENT_MODE" ] && DEPLOYMENT_MODE="$value" ;;
+      smtp_host)            [ -z "$SMTP_HOST" ] && SMTP_HOST="$value" ;;
+      smtp_port)            [ -z "$SMTP_PORT" ] && SMTP_PORT="$value" ;;
+      smtp_user)            [ -z "$SMTP_USER" ] && SMTP_USER="$value" ;;
+      smtp_pass)            [ -z "$SMTP_PASS" ] && SMTP_PASS="$value" ;;
+      smtp_from_email)      [ -z "$SMTP_FROM_EMAIL" ] && SMTP_FROM_EMAIL="$value" ;;
     esac
   done < "$file"
 }
@@ -282,6 +302,11 @@ load_env_overrides() {
   [ -z "$DOCKER_SOCKET" ] && DOCKER_SOCKET="$_ENV_DOCKER_SOCKET"
   [ -z "$NODE_TLS_REJECT" ] && NODE_TLS_REJECT="$_ENV_NODE_TLS_REJECT"
   [ -z "$DEPLOYMENT_MODE" ] && DEPLOYMENT_MODE="$_ENV_DEPLOYMENT_MODE"
+  [ -z "$SMTP_HOST" ] && SMTP_HOST="$_ENV_SMTP_HOST"
+  [ -z "$SMTP_PORT" ] && SMTP_PORT="$_ENV_SMTP_PORT"
+  [ -z "$SMTP_USER" ] && SMTP_USER="$_ENV_SMTP_USER"
+  [ -z "$SMTP_PASS" ] && SMTP_PASS="$_ENV_SMTP_PASS"
+  [ -z "$SMTP_FROM_EMAIL" ] && SMTP_FROM_EMAIL="$_ENV_SMTP_FROM_EMAIL"
 }
 
 # --- Prerequisites ---
@@ -434,6 +459,18 @@ run_simple_prompts() {
       DEPLOYMENT_MODE="saas"
       ;;
   esac
+
+  # SMTP for email verification (SaaS mode only)
+  if [ "$DEPLOYMENT_MODE" = "saas" ]; then
+    echo ""
+    if prompt_yesno "Configure SMTP for email verification? (required for self-service sign-up)"; then
+      prompt SMTP_HOST "SMTP host" "${SMTP_HOST:-}"
+      prompt SMTP_PORT "SMTP port" "${SMTP_PORT:-587}"
+      prompt SMTP_USER "SMTP username" "${SMTP_USER:-}"
+      prompt_password SMTP_PASS "SMTP password" "${SMTP_PASS:-}"
+      prompt SMTP_FROM_EMAIL "From email address" "${SMTP_FROM_EMAIL:-noreply@${PUBLIC_HOST}}"
+    fi
+  fi
 }
 
 run_expert_prompts() {
@@ -696,6 +733,13 @@ CAMELEER_SAAS_PROVISIONING_RUNTIMEBASEIMAGE=${REGISTRY}/cameleer-runtime-base:${
 # JWT signing secret (forwarded to provisioned tenant servers, must be non-empty)
 CAMELEER_SERVER_SECURITY_JWTSECRET=$(generate_password)
 
+# SMTP (for email verification during registration)
+SMTP_HOST=${SMTP_HOST}
+SMTP_PORT=${SMTP_PORT:-587}
+SMTP_USER=${SMTP_USER}
+SMTP_PASS=${SMTP_PASS}
+SMTP_FROM_EMAIL=${SMTP_FROM_EMAIL:-noreply@${PUBLIC_HOST}}
+
 # Compose file assembly
 COMPOSE_FILE=docker-compose.yml:docker-compose.saas.yml$([ "$TLS_MODE" = "custom" ] && echo ":docker-compose.tls.yml")$([ -n "$MONITORING_NETWORK" ] && echo ":docker-compose.monitoring.yml")
 EOF
@@ -867,6 +911,11 @@ compose_project=${COMPOSE_PROJECT}
 docker_socket=${DOCKER_SOCKET}
 node_tls_reject=${NODE_TLS_REJECT}
 deployment_mode=${DEPLOYMENT_MODE}
+smtp_host=${SMTP_HOST}
+smtp_port=${SMTP_PORT}
+smtp_user=${SMTP_USER}
+smtp_pass=${SMTP_PASS}
+smtp_from_email=${SMTP_FROM_EMAIL}
 EOF
   log_info "Saved installer config to cameleer.conf"
 }

installer/templates/.env.example

@@ -60,6 +60,16 @@ SAAS_ADMIN_PASS=CHANGE_ME
 # SERVER_ADMIN_PASS=CHANGE_ME
 # BOOTSTRAP_TOKEN=CHANGE_ME
 
+# ============================================================
+# SMTP (for email verification during registration)
+# ============================================================
+# Required for self-service sign-up. Without SMTP, only admin-created users can sign in.
+SMTP_HOST=
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASS=
+SMTP_FROM_EMAIL=noreply@cameleer.io
+
 # ============================================================
 # TLS
 # ============================================================

installer/templates/docker-compose.saas.yml

@@ -26,6 +26,12 @@ services:
       PG_DB_SAAS: cameleer_saas
       SAAS_ADMIN_USER: ${SAAS_ADMIN_USER:-admin}
       SAAS_ADMIN_PASS: ${SAAS_ADMIN_PASS:?SAAS_ADMIN_PASS must be set in .env}
+      # SMTP (for email verification during registration)
+      SMTP_HOST: ${SMTP_HOST:-}
+      SMTP_PORT: ${SMTP_PORT:-587}
+      SMTP_USER: ${SMTP_USER:-}
+      SMTP_PASS: ${SMTP_PASS:-}
+      SMTP_FROM_EMAIL: ${SMTP_FROM_EMAIL:-noreply@cameleer.io}
     healthcheck:
       test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\" && test -f /data/logto-bootstrap.json"]
       interval: 10s