auth: login pill toggle for clinic/lab + server-side kind validation

Sign-in form now has a Klinik / Laboratuvar pill toggle (defaults to clinic).
The selected kind is posted alongside email+password; the server action
resolves the user's memberships, picks a tenant_settings row matching the
chosen kind, and sets it as active. If no matching tenant exists the session
is rolled back with a clear error.

Invite-flow logins skip the kind check — invite code drives team assignment.

src/lib/appwrite/auth-actions.ts

@@ -2,9 +2,11 @@
 
 import { cookies } from "next/headers";
 import { redirect } from "next/navigation";
-import { AppwriteException, ID } from "node-appwrite";
+import { AppwriteException, ID, Query } from "node-appwrite";
 
 import { APPWRITE_SESSION_COOKIE, createAdminClient, createSessionClient } from "./server";
+import { DATABASE_ID, TABLES, type TenantKind, type TenantSettings } from "./schema";
+import { ACTIVE_TENANT_COOKIE } from "./tenant-types";
 import type { AuthState } from "./auth-types";
 
 function appwriteError(e: unknown): string {
@@ -38,23 +40,90 @@ async function setSessionCookie(secret: string, expire: string) {
   });
 }
 
+async function setActiveTenantCookie(tenantId: string) {
+  (await cookies()).set(ACTIVE_TENANT_COOKIE, tenantId, {
+    path: "/",
+    httpOnly: true,
+    sameSite: "strict",
+    secure: process.env.NODE_ENV === "production",
+    maxAge: 60 * 60 * 24 * 365,
+  });
+}
+
+async function pickTenantIdByKind(userId: string, kind: TenantKind): Promise<string | null> {
+  const { users, tablesDB } = createAdminClient();
+  const memberships = await users.listMemberships(userId);
+  const teamIds = memberships.memberships.map((m) => m.teamId);
+  if (teamIds.length === 0) return null;
+
+  const result = await tablesDB.listRows({
+    databaseId: DATABASE_ID,
+    tableId: TABLES.tenantSettings,
+    queries: [
+      Query.equal("tenantId", teamIds),
+      Query.equal("kind", kind),
+      Query.limit(1),
+    ],
+  });
+  const row = result.rows[0] as unknown as TenantSettings | undefined;
+  return row?.tenantId ?? null;
+}
+
 export async function signInAction(_prev: AuthState, formData: FormData): Promise<AuthState> {
   const email = String(formData.get("email") ?? "").trim();
   const password = String(formData.get("password") ?? "");
   const inviteCode = String(formData.get("inviteCode") ?? "").trim();
+  const rawKind = String(formData.get("kind") ?? "").trim();
+  const kind: TenantKind | null =
+    rawKind === "lab" || rawKind === "clinic" ? rawKind : null;
 
   if (!email || !password) {
     return { ok: false, error: "Email ve şifre zorunlu." };
   }
 
+  let sessionUserId: string | null = null;
+  let sessionId: string | null = null;
   try {
     const { account } = createAdminClient();
     const session = await account.createEmailPasswordSession(email, password);
+    sessionUserId = session.userId;
+    sessionId = session.$id;
     await setSessionCookie(session.secret, session.expire);
   } catch (e) {
     return { ok: false, error: appwriteError(e) };
   }
 
+  // Invite flow short-circuits the kind check — invite code drives team membership
+  if (!inviteCode && kind && sessionUserId) {
+    const matchedTenantId = await pickTenantIdByKind(sessionUserId, kind);
+    if (!matchedTenantId) {
+      // Roll back session: user has no tenant of the requested kind
+      try {
+        const { users } = createAdminClient();
+        if (sessionId) await users.deleteSession(sessionUserId, sessionId);
+      } catch {
+        /* best-effort */
+      }
+      (await cookies()).delete(APPWRITE_SESSION_COOKIE);
+      const label = kind === "lab" ? "laboratuvar" : "klinik";
+      return {
+        ok: false,
+        error: `Bu hesap için ${label} kaydı bulunamadı. Diğer hesap türünü seçin veya yeni çalışma alanı oluşturun.`,
+      };
+    }
+    await setActiveTenantCookie(matchedTenantId);
+    try {
+      const { users } = createAdminClient();
+      const user = await users.get(sessionUserId);
+      await users.updatePrefs(sessionUserId, {
+        ...(user.prefs ?? {}),
+        activeTenant: matchedTenantId,
+      });
+    } catch {
+      /* best-effort */
+    }
+  }
+
   redirect(inviteCode ? `/d/${inviteCode}` : "/dashboard");
 }