Various pre-launch fixes.

server/api/invite/verify.post.js

@@ -27,16 +27,13 @@ export default defineEventHandler(async (event) => {
     throw createError({ statusCode: 400, statusMessage: 'This invitation has already been accepted' })
   }
 
-  // Single-use enforcement
-  if (!decoded.jti || decoded.jti !== preReg.magicLinkJti || preReg.magicLinkJtiUsed) {
+  // Match the jti so that re-invite (which rotates the jti) kills old links.
+  // The burn happens in accept.post.js once a Member is created — keeps verify
+  // idempotent so the form survives a refresh.
+  if (!decoded.jti || decoded.jti !== preReg.magicLinkJti) {
     throw createError({ statusCode: 401, statusMessage: 'Invalid or expired invitation link' })
   }
 
-  // Burn the token
-  await PreRegistration.findByIdAndUpdate(preReg._id, {
-    $set: { magicLinkJtiUsed: true }
-  })
-
   return {
     preRegistrationId: preReg._id,
     name: preReg.name,