To reproduce the first issue, do this:

• Create an account with address abc@xyz.com on an instance through some administrative workflow which doesn't create a corresponding central account, simulating an imported account (e.g., via bin/accountadmin or its successor).
• Via Members → Add Members, invite the email address instead of importing it. Here, you're acting as an instance manager rather than Phacility staff.

This will produce an invited member row like this:

+----+--------------------------------+--------------------------------+--------------------------------+---------+-------------+--------------+----------------------+---------------+--------------------+--------------------------------+---------------+--------+
| id | phid                           | instancePHID                   | userPHID                       | status  | dateCreated | dateModified | emailAddress         | dateActivated | autolinkShadowPHID | authorPHID                     | inviteMessage | isSent |
+----+--------------------------------+--------------------------------+--------------------------------+---------+-------------+--------------+----------------------+---------------+--------------------+--------------------------------+---------------+--------+
| 21 | PHID-IIIM-253pklytjpxzu4yn6ylc | PHID-IIIN-uqgtxr2xpwilfklniiao | NULL                           | invited |  1560457522 |   1560457522 | epriestley2@yghe.net |          NULL | NULL               | PHID-USER-icyixzkx3f4ttv67avbn | hi ho         |      1 |
+----+--------------------------------+--------------------------------+--------------------------------+---------+-------------+--------------+----------------------+---------------+--------------------+--------------------------------+---------------+--------+

Note that there is (correctly) no autolinkShadowPHID here.

That produces this "import" state where the account shows "Already Invited":

This implies "a staff member already imported and invited this user", but it's not quite correct in this case and is conflating "account invited by staff" and "email invited by instance manager". The latter doesn't link. We should put the tool in this state only if autolinkShadowPHID has the right user already.

From here, there's currently no way forward in the tool. We don't let you act on this account since we consider it underway already.

To reproduce the second issue, do this:

• From the earlier state, as the user who owns the email address, follow the link in the invite flow.

Now, the user sees this:

This is vaguely misleading in a Phacility context and we end up with the unlinked external account record written to the database:

mysql> select * from user_externalaccount\G
*************************** 1. row ***************************
                id: 3
              phid: PHID-XUSR-6m2jpqi765hf2xldtk6c
          userPHID: NULL
       accountType: phabricator
     accountDomain: self
     accountSecret: yotppvkpidsnvb5put345gyfcjfdmveq
         accountID: PHID-USER-wjurmm3dsdigba5sbi6w
       displayName: NULL
       dateCreated: 1560458180
      dateModified: 1560458180
          username: epriestley2
          realName: epriestley2
             email: epriestley2@yghe.net
     emailVerified: 0
        accountURI: http://local.phacility.com/p/epriestley2/
  profileImagePHID: NULL
        properties: {"oauth.token.access":"X","oauth.token.refresh":null,"oauth.token.access.expires":null,"registrationKey":"Y"}
providerConfigPHID: PHID-AUTH-dgwlstl7kpaemhhtu3rx
1 row in set (0.00 sec)

It's correct that we roadblock this user, and we actually would prefer to create a higher barrier and prevent them from clicking "Create New Account". The remedy is "contact support so the link can be approved by staff".

The ideal behavior is probably that the tool recognize two new states:

• "Invited by Manager, Not Registered". In this case, an instances_member row exists with no autolinkShadowPHID, but a user_externalaccount row does not exist. The correct merge behavior for the tool is to set autolinkShadowPHID.
• "Invited by Manager, Registered". In this case, an instances_member row exists and a user_externalaccount row also exists, with a null userPHID. The correct merge behavior is for the tool to set userPHID.

Since this is a mess, a possibly easier fix is this instead:

• In the instance manager invite tool, raise an error when inviting an email address which is already registered on the instance ("Contact staff to import.")

That seems generally clearer for everyone so I'm going to give that a shot.