feat: HL tenant setup + email domain auto-assignment

- Create pre-configured Hogan Lovells tenant with demo flag and
  auto_assign_domains: ["hoganlovells.com"]
- Add POST /api/tenants/auto-assign endpoint: checks email domain
  against tenant settings, auto-assigns user as associate if match
- Add AutoAssignByDomain to TenantService
- Update registration flow: after signup, check auto-assign before
  showing tenant creation form. Skip tenant creation if auto-assigned.
- Add DemoBanner component shown when tenant.settings.demo is true
- Extend GET /api/me to return is_demo flag from tenant settings

backend/internal/handlers/tenant_handler.go

@@ -356,6 +356,71 @@ func (h *TenantHandler) UpdateMemberRole(w http.ResponseWriter, r *http.Request)
 	jsonResponse(w, map[string]string{"status": "updated"}, http.StatusOK)
 }
 
+// AutoAssign handles POST /api/tenants/auto-assign — checks if the user's email domain
+// matches any tenant's auto_assign_domains and assigns them if so.
+func (h *TenantHandler) AutoAssign(w http.ResponseWriter, r *http.Request) {
+	userID, ok := auth.UserFromContext(r.Context())
+	if !ok {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	var req struct {
+		Email string `json:"email"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		jsonError(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+	if req.Email == "" {
+		jsonError(w, "email is required", http.StatusBadRequest)
+		return
+	}
+
+	// Extract domain from email
+	parts := splitEmail(req.Email)
+	if parts == "" {
+		jsonError(w, "invalid email format", http.StatusBadRequest)
+		return
+	}
+
+	result, err := h.svc.AutoAssignByDomain(r.Context(), userID, parts)
+	if err != nil {
+		slog.Error("auto-assign failed", "error", err)
+		jsonError(w, "internal error", http.StatusInternalServerError)
+		return
+	}
+
+	if result == nil {
+		jsonResponse(w, map[string]any{"assigned": false}, http.StatusOK)
+		return
+	}
+
+	jsonResponse(w, map[string]any{
+		"assigned":  true,
+		"tenant_id": result.ID,
+		"name":      result.Name,
+		"slug":      result.Slug,
+		"role":      result.Role,
+		"settings":  result.Settings,
+	}, http.StatusOK)
+}
+
+// splitEmail extracts the domain part from an email address.
+func splitEmail(email string) string {
+	at := -1
+	for i, c := range email {
+		if c == '@' {
+			at = i
+			break
+		}
+	}
+	if at < 0 || at >= len(email)-1 {
+		return ""
+	}
+	return email[at+1:]
+}
+
 // GetMe handles GET /api/me — returns the current user's ID and role in the active tenant.
 func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
 	userID, ok := auth.UserFromContext(r.Context())
@@ -370,11 +435,26 @@ func (h *TenantHandler) GetMe(w http.ResponseWriter, r *http.Request) {
 	// Get user's permissions for frontend UI
 	perms := auth.GetRolePermissions(role)
 
+	// Check if tenant is in demo mode
+	isDemo := false
+	if tenant, err := h.svc.GetByID(r.Context(), tenantID); err == nil && tenant != nil {
+		var settings map[string]json.RawMessage
+		if json.Unmarshal(tenant.Settings, &settings) == nil {
+			if demoRaw, ok := settings["demo"]; ok {
+				var demo bool
+				if json.Unmarshal(demoRaw, &demo) == nil {
+					isDemo = demo
+				}
+			}
+		}
+	}
+
 	jsonResponse(w, map[string]any{
 		"user_id":     userID,
 		"tenant_id":   tenantID,
 		"role":        role,
 		"permissions": perms,
+		"is_demo":     isDemo,
 	}, http.StatusOK)
 }
 

backend/internal/services/tenant_service.go

@@ -240,6 +240,54 @@ func (s *TenantService) UpdateMemberRole(ctx context.Context, tenantID, userID u
 	return nil
 }
 
+// AutoAssignByDomain finds a tenant with a matching auto_assign_domains setting
+// and adds the user as a member. Returns the tenant and role, or nil if no match.
+func (s *TenantService) AutoAssignByDomain(ctx context.Context, userID uuid.UUID, emailDomain string) (*models.TenantWithRole, error) {
+	// Find tenant where settings.auto_assign_domains contains this domain
+	var tenant models.Tenant
+	err := s.db.GetContext(ctx, &tenant,
+		`SELECT id, name, slug, settings, created_at, updated_at
+		 FROM tenants
+		 WHERE settings->'auto_assign_domains' ? $1
+		 LIMIT 1`,
+		emailDomain,
+	)
+	if err != nil {
+		return nil, nil // no match — not an error
+	}
+
+	// Check if already a member
+	var exists bool
+	err = s.db.GetContext(ctx, &exists,
+		`SELECT EXISTS(SELECT 1 FROM user_tenants WHERE user_id = $1 AND tenant_id = $2)`,
+		userID, tenant.ID,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("check membership: %w", err)
+	}
+	if exists {
+		// Already a member — return the existing membership
+		role, err := s.GetUserRole(ctx, userID, tenant.ID)
+		if err != nil {
+			return nil, fmt.Errorf("get existing role: %w", err)
+		}
+		return &models.TenantWithRole{Tenant: tenant, Role: role}, nil
+	}
+
+	// Add as member (associate by default for auto-assigned users)
+	role := "associate"
+	_, err = s.db.ExecContext(ctx,
+		`INSERT INTO user_tenants (user_id, tenant_id, role) VALUES ($1, $2, $3)`,
+		userID, tenant.ID, role,
+	)
+	if err != nil {
+		return nil, fmt.Errorf("auto-assign user: %w", err)
+	}
+
+	s.audit.Log(ctx, "create", "auto_membership", &tenant.ID, map[string]any{"domain": emailDomain}, map[string]any{"user_id": userID, "role": role})
+	return &models.TenantWithRole{Tenant: tenant, Role: role}, nil
+}
+
 // RemoveMember removes a user from a tenant. Cannot remove the last owner.
 func (s *TenantService) RemoveMember(ctx context.Context, tenantID, userID uuid.UUID) error {
 	// Check if the user being removed is an owner