feat(events): guest accounts for public event registration

Non-members who register for an event now get a persistent identity:
with consent, a status:"guest" Member is upserted and an auth cookie is
set so the "You're Registered" state survives a page refresh.

Tiered auto-login matches passwordless-auth norms — auto-login is only
safe when the account holds no privileges:
- New email → create guest + cookie
- Returning guest → cookie
- Existing non-guest (active/pending/etc.) → attach ticket only, no
  cookie, confirmation email includes a sign-in link

Guests are gated on status === "guest", so admin/middleware code that
keys on status === "active" naturally excludes them. Guests are also
treated as non-members for ticket pricing/validation to prevent picking
up member-only pricing on their second registration.

server/utils/auth.js

@@ -2,6 +2,26 @@ import jwt from 'jsonwebtoken'
 import Member from '../models/member.js'
 import { connectDB } from './mongoose.js'
 
+/**
+ * Issue a session JWT and set the auth-token cookie for the given member.
+ * Mirrors the cookie options used by verify.post.js.
+ */
+export function setAuthCookie(event, member) {
+  const token = jwt.sign(
+    { memberId: member._id.toString(), email: member.email, tv: member.tokenVersion || 0 },
+    useRuntimeConfig(event).jwtSecret,
+    { expiresIn: '7d' }
+  )
+
+  setCookie(event, 'auth-token', token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 60 * 60 * 24 * 7
+  })
+}
+
 /**
  * Verify JWT from cookie and return the decoded member.
  * Throws 401 if token is missing or invalid.

server/utils/resend.js

@@ -4,8 +4,11 @@ const resend = new Resend(process.env.RESEND_API_KEY);
 
 /**
  * Send event registration confirmation email
+ * @param {Object} options - { requiresSignIn?: boolean } — when true, appends a
+ *   "sign in to view your ticket" paragraph for existing non-guest members who
+ *   registered via the public form and did not receive an auto-login cookie.
  */
-export async function sendEventRegistrationEmail(registration, eventData) {
+export async function sendEventRegistrationEmail(registration, eventData, options = {}) {
   const formatDate = (dateString) => {
     const date = new Date(dateString);
     return new Intl.DateTimeFormat("en-US", {
@@ -31,6 +34,9 @@ export async function sendEventRegistrationEmail(registration, eventData) {
 
   const baseUrl = process.env.BASE_URL || "https://ghostguild.org";
   const eventUrl = `${baseUrl}/events/${eventData.slug || eventData._id}`;
+  const signInSection = options.requiresSignIn
+    ? `\nSign in to view your ticket: ${baseUrl}/login\n`
+    : "";
 
   let ticketSection = "";
   if (
@@ -63,7 +69,7 @@ You're registered for ${eventData.title}.
 Date: ${formatDate(eventData.startDate)}
 Time: ${formatTime(eventData.startDate, eventData.endDate)}
 Location: ${eventData.location}
-${eventData.description ? `\n${eventData.description}\n` : ""}${ticketSection}
+${eventData.description ? `\n${eventData.description}\n` : ""}${ticketSection}${signInSection}
 View event: ${eventUrl}
 
 To cancel, visit the event page and click "Cancel Registration."`,

server/utils/schemas.js

@@ -95,7 +95,8 @@ export const helcimUpdateBillingSchema = z.object({
 export const ticketPurchaseSchema = z.object({
   name: z.string().min(1).max(200),
   email: z.string().trim().toLowerCase().email(),
-  transactionId: z.string().max(500).optional()
+  transactionId: z.string().max(500).optional(),
+  createAccount: z.boolean().optional().default(true)
 })
 
 export const ticketReserveSchema = z.object({