H-2421: Require email verification for users; add TOTP MFA

[CiaranMn]

🌟 What is the purpose of this PR?

1. Require email verification for accounts
2. Add optional MFA via timed one-time passwords

Pre-Merge Checklist 🚀

🚢 Has this modified a publishable library?

This PR:

• does not modify any publishable blocks or libraries, or modifications do not need publishing

📜 Does this require a change to the docs?

The changes in this PR:

• are internal and do not require a docs change

🕸️ Does this require a change to the Turbo Graph?

The changes in this PR:

• do not affect the execution graph

⚠️ Known issues

🛡 What tests cover this?

• Some new ones added in this PR.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

5 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hash	Ignored	Preview	Feb 13, 2026 4:36pm
hash (staging)	Ignored	Preview	Feb 13, 2026 4:36pm
hashdotdesign	Ignored	Preview	Feb 13, 2026 4:36pm
hashdotdesign-tokens	Ignored	Preview	Feb 13, 2026 4:36pm
petrinaut	Skipped		Feb 13, 2026 4:36pm

[codecov]

Codecov Report

❌ Patch coverage is 0% with 105 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.94%. Comparing base (c8e4ac9) to head (4c6c4ee).
⚠️ Report is 8 commits behind head on main.

Files with missing lines	Patch %	Lines
...pi/src/auth/create-unverified-email-cleanup-job.ts	0.00%	74 Missing ⚠️
apps/hash-api/src/auth/ory-kratos.ts	0.00%	15 Missing ⚠️
apps/hash-api/src/auth/create-auth-handlers.ts	0.00%	10 Missing ⚠️
...y-hooks/user-before-update-entity-hook-callback.ts	0.00%	2 Missing ⚠️
...pps/hash-api/src/shared/user-has-access-to-hash.ts	0.00%	2 Missing ⚠️
...hql/resolvers/knowledge/user/has-access-to-hash.ts	0.00%	1 Missing ⚠️
apps/hash-api/src/seed-data/seed-users.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8407      +/-   ##
==========================================
- Coverage   61.05%   60.94%   -0.11%     
==========================================
  Files        1247     1249       +2     
  Lines      121606   121836     +230     
  Branches     5267     5320      +53     
==========================================
+ Hits        74245    74252       +7     
- Misses      46489    46712     +223     
  Partials      872      872              

Flag	Coverage Δ
rust.hashql-core	81.75% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[codspeed-hq]

Merging this PR will not alter performance

✅ 21 untouched benchmarks
🗄️ 12 archived benchmarks run¹

---

_{Comparing cm/add-email-verification (4c6c4ee) with main (c8e4ac9)²}

Footnotes

1. 12 benchmarks were run, but are now archived. If they were deleted in another branch, consider rebasing to remove them from the report. Instead if they were added back, click here to restore them. ↩

2. No successful run was found on main (c5edd55) during the generation of this report, so c8e4ac9 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩

[github-actions]

Benchmark results

@rust/hash-graph-benches – Integrations

policy_resolution_large

Function	Value	Mean	Flame graphs
resolve_policies_for_actor	user: empty, selectivity: high, policies: 2002	$$28.8 \mathrm{ms} \pm 154 \mathrm{μs}\left({\color{gray}0.345 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: low, policies: 1	$$3.53 \mathrm{ms} \pm 16.5 \mathrm{μs}\left({\color{gray}-2.961 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: medium, policies: 1001	$$14.2 \mathrm{ms} \pm 84.6 \mathrm{μs}\left({\color{red}9.37 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: high, policies: 3314	$$44.1 \mathrm{ms} \pm 289 \mathrm{μs}\left({\color{gray}-2.884 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: low, policies: 1	$$15.1 \mathrm{ms} \pm 103 \mathrm{μs}\left({\color{gray}-1.148 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: medium, policies: 1526	$$24.8 \mathrm{ms} \pm 190 \mathrm{μs}\left({\color{gray}-3.000 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: high, policies: 2078	$$29.7 \mathrm{ms} \pm 223 \mathrm{μs}\left({\color{gray}0.635 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: low, policies: 1	$$3.88 \mathrm{ms} \pm 20.5 \mathrm{μs}\left({\color{gray}-1.582 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: medium, policies: 1033	$$14.3 \mathrm{ms} \pm 107 \mathrm{μs}\left({\color{gray}0.585 \mathrm{\%}}\right) $$	Flame Graph

policy_resolution_medium

Function	Value	Mean	Flame graphs
resolve_policies_for_actor	user: empty, selectivity: high, policies: 102	$$3.96 \mathrm{ms} \pm 23.7 \mathrm{μs}\left({\color{gray}0.106 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: low, policies: 1	$$3.12 \mathrm{ms} \pm 16.6 \mathrm{μs}\left({\color{gray}0.110 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: medium, policies: 51	$$3.48 \mathrm{ms} \pm 17.2 \mathrm{μs}\left({\color{gray}-0.428 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: high, policies: 269	$$5.36 \mathrm{ms} \pm 36.8 \mathrm{μs}\left({\color{gray}-1.868 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: low, policies: 1	$$3.73 \mathrm{ms} \pm 25.3 \mathrm{μs}\left({\color{gray}0.191 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: medium, policies: 107	$$4.33 \mathrm{ms} \pm 35.7 \mathrm{μs}\left({\color{gray}-0.676 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: high, policies: 133	$$4.58 \mathrm{ms} \pm 19.5 \mathrm{μs}\left({\color{gray}-3.095 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: low, policies: 1	$$3.59 \mathrm{ms} \pm 22.4 \mathrm{μs}\left({\color{gray}0.406 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: medium, policies: 63	$$4.27 \mathrm{ms} \pm 35.9 \mathrm{μs}\left({\color{gray}1.09 \mathrm{\%}}\right) $$	Flame Graph

policy_resolution_none

Function	Value	Mean	Flame graphs
resolve_policies_for_actor	user: empty, selectivity: high, policies: 2	$$2.81 \mathrm{ms} \pm 15.3 \mathrm{μs}\left({\color{gray}-2.186 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: low, policies: 1	$$2.76 \mathrm{ms} \pm 13.1 \mathrm{μs}\left({\color{gray}-0.722 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: medium, policies: 1	$$2.91 \mathrm{ms} \pm 13.7 \mathrm{μs}\left({\color{gray}-1.045 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: high, policies: 8	$$3.19 \mathrm{ms} \pm 21.6 \mathrm{μs}\left({\color{gray}1.14 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: low, policies: 1	$$2.96 \mathrm{ms} \pm 13.8 \mathrm{μs}\left({\color{gray}-1.525 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: medium, policies: 3	$$3.31 \mathrm{ms} \pm 19.1 \mathrm{μs}\left({\color{gray}0.103 \mathrm{\%}}\right) $$	Flame Graph

policy_resolution_small

Function	Value	Mean	Flame graphs
resolve_policies_for_actor	user: empty, selectivity: high, policies: 52	$$3.23 \mathrm{ms} \pm 16.7 \mathrm{μs}\left({\color{gray}-0.134 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: low, policies: 1	$$2.91 \mathrm{ms} \pm 13.3 \mathrm{μs}\left({\color{gray}-1.385 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: empty, selectivity: medium, policies: 25	$$3.06 \mathrm{ms} \pm 14.1 \mathrm{μs}\left({\color{gray}-3.239 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: high, policies: 94	$$3.67 \mathrm{ms} \pm 20.8 \mathrm{μs}\left({\color{gray}0.494 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: low, policies: 1	$$3.23 \mathrm{ms} \pm 20.6 \mathrm{μs}\left({\color{gray}-3.284 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: seeded, selectivity: medium, policies: 26	$$3.44 \mathrm{ms} \pm 21.5 \mathrm{μs}\left({\color{gray}-0.336 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: high, policies: 66	$$3.57 \mathrm{ms} \pm 18.1 \mathrm{μs}\left({\color{gray}0.139 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: low, policies: 1	$$3.17 \mathrm{ms} \pm 16.1 \mathrm{μs}\left({\color{gray}-0.743 \mathrm{\%}}\right) $$	Flame Graph
resolve_policies_for_actor	user: system, selectivity: medium, policies: 29	$$3.44 \mathrm{ms} \pm 17.8 \mathrm{μs}\left({\color{gray}-0.984 \mathrm{\%}}\right) $$	Flame Graph

read_scaling_complete

Function	Value	Mean	Flame graphs
entity_by_id;one_depth	1 entities	$$41.4 \mathrm{ms} \pm 178 \mathrm{μs}\left({\color{lightgreen}-7.455 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;one_depth	10 entities	$$79.0 \mathrm{ms} \pm 545 \mathrm{μs}\left({\color{gray}-1.573 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;one_depth	25 entities	$$45.4 \mathrm{ms} \pm 223 \mathrm{μs}\left({\color{gray}-1.947 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;one_depth	5 entities	$$48.8 \mathrm{ms} \pm 303 \mathrm{μs}\left({\color{gray}-3.087 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;one_depth	50 entities	$$55.4 \mathrm{ms} \pm 265 \mathrm{μs}\left({\color{gray}-3.972 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	1 entities	$$43.4 \mathrm{ms} \pm 172 \mathrm{μs}\left({\color{gray}-1.620 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	10 entities	$$424 \mathrm{ms} \pm 975 \mathrm{μs}\left({\color{gray}1.66 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	25 entities	$$97.9 \mathrm{ms} \pm 501 \mathrm{μs}\left({\color{gray}-3.332 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	5 entities	$$89.5 \mathrm{ms} \pm 394 \mathrm{μs}\left({\color{gray}2.18 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;two_depth	50 entities	$$287 \mathrm{ms} \pm 794 \mathrm{μs}\left({\color{gray}-0.299 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	1 entities	$$15.5 \mathrm{ms} \pm 93.5 \mathrm{μs}\left({\color{gray}-4.443 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	10 entities	$$15.7 \mathrm{ms} \pm 82.3 \mathrm{μs}\left({\color{gray}-0.219 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	25 entities	$$16.1 \mathrm{ms} \pm 87.7 \mathrm{μs}\left({\color{gray}-0.180 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	5 entities	$$15.9 \mathrm{ms} \pm 75.1 \mathrm{μs}\left({\color{gray}-0.139 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id;zero_depth	50 entities	$$18.9 \mathrm{ms} \pm 115 \mathrm{μs}\left({\color{gray}-0.419 \mathrm{\%}}\right) $$	Flame Graph

read_scaling_linkless

Function	Value	Mean	Flame graphs
entity_by_id	1 entities	$$15.6 \mathrm{ms} \pm 75.4 \mathrm{μs}\left({\color{gray}-0.178 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	10 entities	$$15.6 \mathrm{ms} \pm 81.2 \mathrm{μs}\left({\color{gray}-1.120 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	100 entities	$$15.6 \mathrm{ms} \pm 82.8 \mathrm{μs}\left({\color{gray}-1.712 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	1000 entities	$$16.2 \mathrm{ms} \pm 86.1 \mathrm{μs}\left({\color{gray}-0.592 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	10000 entities	$$23.4 \mathrm{ms} \pm 152 \mathrm{μs}\left({\color{gray}-1.832 \mathrm{\%}}\right) $$	Flame Graph

representative_read_entity

Function	Value	Mean	Flame graphs
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/block/v/1	$$30.1 \mathrm{ms} \pm 240 \mathrm{μs}\left({\color{lightgreen}-6.208 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/book/v/1	$$30.6 \mathrm{ms} \pm 298 \mathrm{μs}\left({\color{lightgreen}-6.545 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/building/v/1	$$30.8 \mathrm{ms} \pm 263 \mathrm{μs}\left({\color{lightgreen}-5.077 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/organization/v/1	$$31.2 \mathrm{ms} \pm 301 \mathrm{μs}\left({\color{gray}-1.574 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/page/v/2	$$30.3 \mathrm{ms} \pm 248 \mathrm{μs}\left({\color{gray}-4.959 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/person/v/1	$$33.1 \mathrm{ms} \pm 346 \mathrm{μs}\left({\color{red}6.16 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/playlist/v/1	$$30.7 \mathrm{ms} \pm 361 \mathrm{μs}\left({\color{gray}-4.135 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/song/v/1	$$31.5 \mathrm{ms} \pm 305 \mathrm{μs}\left({\color{gray}-0.001 \mathrm{\%}}\right) $$	Flame Graph
entity_by_id	entity type ID: https://blockprotocol.org/@alice/types/entity-type/uk-address/v/1	$$31.6 \mathrm{ms} \pm 347 \mathrm{μs}\left({\color{gray}-2.405 \mathrm{\%}}\right) $$	Flame Graph

representative_read_entity_type

Function	Value	Mean	Flame graphs
get_entity_type_by_id	Account ID: bf5a9ef5-dc3b-43cf-a291-6210c0321eba	$$8.63 \mathrm{ms} \pm 42.1 \mathrm{μs}\left({\color{gray}-0.640 \mathrm{\%}}\right) $$	Flame Graph

representative_read_multiple_entities

Function	Value	Mean	Flame graphs
entity_by_property	traversal_paths=0	0	$$92.1 \mathrm{ms} \pm 535 \mathrm{μs}\left({\color{gray}-0.217 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=255	1,resolve_depths=inherit:1;values:255;properties:255;links:127;link_dests:126;type:true	$$142 \mathrm{ms} \pm 685 \mathrm{μs}\left({\color{gray}-3.299 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:0;links:0;link_dests:0;type:false	$$99.3 \mathrm{ms} \pm 626 \mathrm{μs}\left({\color{gray}1.60 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:0;links:1;link_dests:0;type:true	$$106 \mathrm{ms} \pm 655 \mathrm{μs}\left({\color{gray}0.114 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:2;links:1;link_dests:0;type:true	$$115 \mathrm{ms} \pm 669 \mathrm{μs}\left({\color{gray}-0.666 \mathrm{\%}}\right) $$
entity_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:2;properties:2;links:1;link_dests:0;type:true	$$123 \mathrm{ms} \pm 843 \mathrm{μs}\left({\color{gray}-1.686 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=0	0	$$89.6 \mathrm{ms} \pm 468 \mathrm{μs}\left({\color{gray}-2.050 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=255	1,resolve_depths=inherit:1;values:255;properties:255;links:127;link_dests:126;type:true	$$117 \mathrm{ms} \pm 592 \mathrm{μs}\left({\color{gray}-2.004 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:0;links:0;link_dests:0;type:false	$$96.3 \mathrm{ms} \pm 569 \mathrm{μs}\left({\color{gray}-2.740 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:0;links:1;link_dests:0;type:true	$$107 \mathrm{ms} \pm 636 \mathrm{μs}\left({\color{gray}1.19 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:0;properties:2;links:1;link_dests:0;type:true	$$108 \mathrm{ms} \pm 555 \mathrm{μs}\left({\color{gray}0.407 \mathrm{\%}}\right) $$
link_by_source_by_property	traversal_paths=2	1,resolve_depths=inherit:0;values:2;properties:2;links:1;link_dests:0;type:true	$$106 \mathrm{ms} \pm 522 \mathrm{μs}\left({\color{gray}-2.487 \mathrm{\%}}\right) $$

scenarios

Function	Value	Mean	Flame graphs
full_test	query-limited	$$127 \mathrm{ms} \pm 748 \mathrm{μs}\left({\color{gray}-3.354 \mathrm{\%}}\right) $$	Flame Graph
full_test	query-unlimited	$$130 \mathrm{ms} \pm 561 \mathrm{μs}\left({\color{gray}-1.845 \mathrm{\%}}\right) $$	Flame Graph
linked_queries	query-limited	$$125 \mathrm{ms} \pm 873 \mathrm{μs}\left({\color{red}16.9 \mathrm{\%}}\right) $$	Flame Graph
linked_queries	query-unlimited	$$578 \mathrm{ms} \pm 3.15 \mathrm{ms}\left({\color{lightgreen}-5.604 \mathrm{\%}}\right) $$	Flame Graph

[cursor]

PR Summary

High Risk
Touches core authentication/authorization flows (email verification gating, Kratos session/AAL handling, and resolver access controls), so regressions could block login/signup or loosen access if incorrect. Also introduces new background-deletion logic (currently disabled) and extensive Kratos config changes that could affect production auth behavior.

Overview
Email verification is now enforced as part of onboarding. Backend auth now surfaces primaryEmailVerified, blocks completing signup when the Kratos identity’s primary email isn’t verified, and updates several GraphQL resolvers to require loggedInAndSignedUp where appropriate.

Frontend routing and signup flow now gate on verification status. _app.page.tsx redirects unverified users to /verification, signup adds a new verify-email step (VerifyEmailStep) and verification page supports auto-verifying via code/flow URL params; multiple contexts/queries are skipped until signup is complete to avoid unauthorized entity access.

MFA groundwork is added. Kratos config enables totp + lookup_secret and requires highest AAL for whoami; frontend sign-in adds an AAL2 step for TOTP/backup codes and a new /settings/security page (TOTP UI currently feature-gated off), plus supporting email template updates and test infrastructure (mailslurper in test compose, Playwright helpers/specs). Also adds a (currently not started) cleanup job to archive/delete stale unverified accounts after a TTL and updates seed/test identity creation to optionally pre-verify emails.

^{Written by Cursor Bugbot for commit 4c6c4ee. This will update automatically on new commits. Configure here.}

[augmentcode]

🤖 Augment PR Summary

Summary: This PR introduces mandatory email verification for new accounts and lays the groundwork for TOTP-based MFA.

Changes:

• Backend: surfaces email verification status from Kratos and blocks completing account setup until the email is verified.
• Backend: adds utilities for marking/verifying Kratos identity emails (including test helpers).
• Frontend: adds an email verification step in the signup flow and updates routing/redirect logic to gate unverified users.
• Frontend: updates auth state tracking to handle “AAL2 required” sessions and to propagate verifiable address status into the user model.
• Frontend: introduces a new /settings/security page (password management + MFA UI scaffolding).
• Kratos config: enables code-based verification and configures sessions to require the highest available AAL; enables TOTP and backup codes.
• Infra/tests: adds MailSlurper to test docker-compose and adds Playwright helpers/tests for signup verification (MFA tests currently skipped).

Technical Notes: Verification emails now use custom templates that build a /verification?code=…&flow=… link; GraphQL resolver access is adjusted to distinguish logged-in vs signed-up users.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 4 suggestions posted.

Comment augment review to trigger a new review at any time.

Your organization requires reapproval when changes are made, so Graphite has dismissed approvals. See the output of git range-diff at https://github.com/hashintel/hash/actions/runs/21994406314

Your organization requires reapproval when changes are made, so Graphite has dismissed approvals. See the output of git range-diff at https://github.com/hashintel/hash/actions/runs/21994652202

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

[cursor]

Exported function verifyAllKratosIdentityEmails is never used

Low Severity

verifyAllKratosIdentityEmails is exported but never imported or called anywhere in the codebase. A workspace-wide search only matches the definition itself. This is dead code that adds maintenance burden.