Default-action: implement Option A (existing-user JIT membership via trusted SSO + ssoAutoCreateUsers) unless Carson objects by 2026-05-30 12:00 UTC

faeef93a-style executable default per LEARNINGS 2026-05-29 04:10 UTC Action Item #3. Context: Sergey SSO investigation (May 27-28) found that a verified existing Texture user with no org membership cannot complete trusted-SSO login. Auto-link only works for existing-org-members; JIT only creates brand-new users. The May 28 standup surfaced Option A (gate behind existing ssoAutoCreateUsers) vs Option B (new flag) with Option A recommended. No Carson reply visible since. Default action: implement Option A. Extend the trusted-SSO JIT path to add an existing verified user to the org (rather than creating a new user) when ssoAutoCreateUsers=true and the email matches an existing verified Texture user that is not yet a member. Final gate before execution: at 2026-05-30 12:00 UTC, re-read Carson DM history since 2026-05-29 12:30 UTC standup. If Carson chose Option B, picked a different design, or said hold, cancel this task with the reply linked. If silence, execute the default. Execution: spawn coding sub-agent with workspace /home/agent/agents/carson-engineer; (a) identify the trusted-SSO JIT entry in domains/identity (auth0/Okta SSO token exchange path); (b) add an existing-user-membership branch: if no UserIdentity row for the SSO provider AND a verified User exists by email AND that user is not a member of the target org AND ssoAutoCreateUsers=true, add the user to the org with the appropriate default role; (c) add tests covering the new branch + the still-blocked path when ssoAutoCreateUsers=false; (d) create Linear issue (BOLT-XXXX) at task start and link to fleet-task; (e) open PR with branch kai/sso-existing-user-membership and full local verification (type:check, test, build, lint); (f) PATCH this task to completed with result.pr_url + result.linear_issue_id. No Slack DM. Coordinate with Sergey/Carson only via the PR thread once it is open.