test: add invite code validation tests and fix migration rollback

- Add TestInviteCodeSignup integration tests for valid/invalid invite codes
- Fix migration downgrade: avoid dropping trigger dependency
- Add DB CHECK constraint for invite_codes.code format
- Update runtime-route.md with invite_code documentation
- Update runtime-runbook.md with change log

backend/tests/integration/test_auth_routes.py

@@ -792,3 +792,96 @@ def test_password_reset_confirm_weak_password_returns_422() -> None:
         assert response.headers["content-type"].startswith("application/problem+json")
     finally:
         app.dependency_overrides = {}
+
+
+class TestInviteCodeSignup:
+    def test_signup_with_valid_invite_code_returns_202(self) -> None:
+        user = AuthUser(id="user-1", email="user@example.com")
+        token_response = SessionResponse(
+            access_token="access",
+            refresh_token="refresh",
+            expires_in=3600,
+            token_type="bearer",
+            user=user,
+        )
+        app.dependency_overrides[get_auth_service] = _override_auth_service(
+            FakeAuthService(token_response)
+        )
+
+        client = TestClient(app)
+        try:
+            response = client.post(
+                "/api/v1/auth/verifications",
+                json={
+                    "username": "demo",
+                    "email": "user@example.com",
+                    "password": "secret123",
+                    "invite_code": "A2B3C4D5",
+                },
+            )
+            assert response.status_code == 202
+            assert response.json() == {"email": "user@example.com"}
+        finally:
+            app.dependency_overrides = {}
+
+    def test_signup_with_invalid_invite_code_length_returns_422(self) -> None:
+        user = AuthUser(id="user-1", email="user@example.com")
+        token_response = SessionResponse(
+            access_token="access",
+            refresh_token="refresh",
+            expires_in=3600,
+            token_type="bearer",
+            user=user,
+        )
+        app.dependency_overrides[get_auth_service] = _override_auth_service(
+            FakeAuthService(token_response)
+        )
+
+        client = TestClient(app)
+        try:
+            response = client.post(
+                "/api/v1/auth/verifications",
+                json={
+                    "username": "demo",
+                    "email": "user@example.com",
+                    "password": "secret123",
+                    "invite_code": "ABC123",
+                },
+            )
+            assert response.status_code == 422
+            assert response.headers["content-type"].startswith(
+                "application/problem+json"
+            )
+        finally:
+            app.dependency_overrides = {}
+
+    def test_signup_with_invalid_invite_code_chars_returns_422(self) -> None:
+        user = AuthUser(id="user-1", email="user@example.com")
+        token_response = SessionResponse(
+            access_token="access",
+            refresh_token="refresh",
+            expires_in=3600,
+            token_type="bearer",
+            user=user,
+        )
+        app.dependency_overrides[get_auth_service] = _override_auth_service(
+            FakeAuthService(token_response)
+        )
+
+        client = TestClient(app)
+        try:
+            response = client.post(
+                "/api/v1/auth/verifications",
+                json={
+                    "username": "demo",
+                    "email": "user@example.com",
+                    "password": "secret123",
+                    "invite_code": "ABCD1234",
+                },
+            )
+            assert response.status_code == 422
+            assert response.headers["content-type"].startswith(
+                "application/problem+json"
+            )
+        finally:
+            app.dependency_overrides = {}