FE-799, H-6506, H-6511: Fix PDF preview, org invite auto-accept, updating org details

[CiaranMn]

🌟 What is the purpose of this PR?

Fix the following frontend bugs:

1. FE-799: PDF preview (an incompatible transitive dependency was being pulled in by another package)
2. H-6506: Org invitations automatically accepted after signup (query params weren't being preserved). Also better guards against invitation being accepted twice if acceptance request fired twice quickly.
3. H-6511: Fix updating org details. Hadn't been updated for websiteUrl to use the URI data type instead of Text

Pre-Merge Checklist 🚀

🚢 Has this modified a publishable library?

This PR:

• does not modify any publishable blocks or libraries, or modifications do not need publishing

📜 Does this require a change to the docs?

The changes in this PR:

• are internal and do not require a docs change

🕸️ Does this require a change to the Turbo Graph?

The changes in this PR:

• do not affect the execution graph

❓ How to test this?

1. Try creating an org, and updating its details from the org settings page
2. Invite another user and check they automatically join the org
3. Upload a PDF file and check preview works on the entity's page

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Ready	Preview, Comment	Jun 29, 2026 9:51am

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
hashdotdesign-tokens	Ignored	Preview	Jun 29, 2026 9:51am
petrinaut	Skipped		Jun 29, 2026 9:51am

[cursor]

PR Summary

Medium Risk
Org membership and invitation acceptance logic changed on API and signup flows; mistakes could affect joins or double-accept races, though new guards reduce that risk.

Overview
Fixes three product bugs and tightens org-invite handling end-to-end.

PDF preview pins pdfjs-dist, loads the worker from that package via import.meta.url, and lazy-loads PdfPreview with SSR off so entity file previews use a compatible worker build.

Org invitations keep invitationId through signup/sign-in (return_to validation keeps query/hash; registration no longer strips invite params; completed users stay on /signup when the URL has an invite). Signup auto-accepts after account setup (and for users who already finished signup), with client/server deduping and a late membership check before joinOrg. Failures surface in an AlertModal.

Org settings writes websiteUrl with the URI data type instead of text.

Minor: entity page <title> is the label only (no | HASH suffix).

^{Reviewed by Cursor Bugbot for commit 4b433bc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[semgrep-code-hashintel]

Semgrep found 1 react-nextjs-router-push finding:

• apps/hash-frontend/src/pages/signin.page.tsx
  • L256 - Triage

Untrusted input could be used to tamper with a web page rendering, which can lead to a Cross-site scripting (XSS) vulnerability. XSS vulnerabilities occur when untrusted input executes malicious JavaScript code, leading to issues such as account compromise and sensitive information leakage. To prevent this vulnerability, validate URLs and their protocol before using them in your codebase.

View Dataflow Graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>apps/hash-frontend/src/pages/signin.page.tsx</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0["<a href=https://github.com/hashintel/hash/blob/8cb0293b16608b451d1c6348965ae7a74842160b/apps/hash-frontend/src/pages/signin.page.tsx#L114 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 114] router.query.return_to</a>"]
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2["<a href=https://github.com/hashintel/hash/blob/8cb0293b16608b451d1c6348965ae7a74842160b/apps/hash-frontend/src/pages/signin.page.tsx#L72 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 72] returnTo</a>"]
        end
        %% Sink

        subgraph Sink
            direction LR

            v1["<a href=https://github.com/hashintel/hash/blob/8cb0293b16608b451d1c6348965ae7a74842160b/apps/hash-frontend/src/pages/signin.page.tsx#L256 target=_blank style='text-decoration:none; color:#1c7fd6'>[Line: 256] returnTo ?? activeFlow.return_to ?? &quot;/&quot;</a>"]
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

Loading

[codecov]

Codecov Report

❌ Patch coverage is 0% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.62%. Comparing base (fd129ea) to head (b53f900).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
...l/resolvers/knowledge/org/accept-org-invitation.ts	0.00%	14 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8909      +/-   ##
==========================================
+ Coverage   59.61%   59.62%   +0.01%     
==========================================
  Files        1348     1348              
  Lines      131877   131763     -114     
  Branches     5944     5942       -2     
==========================================
- Hits        78615    78562      -53     
+ Misses      52357    52297      -60     
+ Partials      905      904       -1     

Flag	Coverage Δ
apps.hash-api	0.00% <0.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR addresses several frontend signup/auth flow issues (preserving invitation-related query params and preventing duplicate org-invite acceptance), fixes PDF preview worker/dependency resolution, and corrects org websiteUrl updates to use the URI data type.

Changes:

• Pin pdfjs-dist and update PDF preview worker wiring; load the PDF preview client-side only.
• Preserve signup/signin query params relevant to invitation flows and add guards to prevent double invitation acceptance.
• Update org settings updates so websiteUrl is written with the URI data type.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
yarn.lock	Locks in pdfjs-dist@4.8.69 to stabilize PDF preview dependencies.
apps/hash-frontend/package.json	Adds explicit pdfjs-dist dependency for the frontend app.
apps/hash-frontend/src/pages/signup.page/signup-registration-form.tsx	Preserves relevant query params across registration flow navigation.
apps/hash-frontend/src/pages/signup.page.tsx	Adds client-side dedupe/guarding around org invitation acceptance during signup.
apps/hash-frontend/src/pages/signin.page.tsx	Preserves return_to query/hash and passes returnTo into Kratos login flow creation.
apps/hash-frontend/src/pages/shared/pdf-preview.tsx	Sets pdfjs worker source using pdfjs-dist worker URL.
apps/hash-frontend/src/pages/shared/entity/entity-editor/file-preview-section.tsx	Dynamically imports PdfPreview with ssr: false to avoid SSR issues.
apps/hash-frontend/src/pages/settings/organizations/[shortname]/general.page.tsx	Uses URI data type metadata when patching websiteUrl.
apps/hash-frontend/src/pages/@/[shortname]/entities/[entity-uuid].page.tsx	Adjusts entity page <NextSeo> title formatting.
apps/hash-frontend/src/pages/_app.page.tsx	Avoids redirecting authenticated users away from /signup when invitationId is present.
apps/hash-api/src/graphql/resolvers/knowledge/org/accept-org-invitation.ts	Adds backend in-flight dedupe and a second membership check to prevent duplicate acceptance.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c302af0. Configure here.}

[Copilot]

Pull request overview

Copilot reviewed 10 out of 11 changed files in this pull request and generated 3 comments.