diff --git a/MIGRATIONS.md b/MIGRATIONS.md
index 9e13f112a..139f66c4b 100644
--- a/MIGRATIONS.md
+++ b/MIGRATIONS.md
@@ -4,6 +4,25 @@ Breaking changes and upgrade notes for downstream projects.
 
 ---
 
+## surface-tabs: activation-aware tab filtering (2026-06-12, #4295)
+
+Module-contributed surface tabs now respect `config.modules.{name}.activated`. Previously a downstream setting `modules: { invitations: { activated: false } }` still rendered the admin "Invitations" tab + the account "Referrals" tab (the module fragment's `admin.tabs` / `users.extraTabs` merge unconditionally at generation time) while the routes were correctly NOT injected — clicking the tab landed on a 404.
+
+### What changed (this repo)
+
+- `resolveSurfaceTabs(tabs, can, isActive = () => true)` gained an optional third parameter: tab descriptors may carry an optional `module` field, and a tab whose `module` is reported inactive is filtered out. Tabs without a `module` field are never activation-filtered; omitting `isActive` keeps every tab (existing callers unchanged).
+- `core.surfaceTabBar.component.vue` passes `isModuleActive` as the third argument — its single call site means ALL surfaces using `CoreSurfaceTabBar` (admin, account, org-settings) get the gate.
+- The invitations config fragment tags both of its tab descriptors with `module: 'invitations'`; the regenerated `src/config/index.js` carries the field.
+- The filter is render-time on purpose (single source of truth: `isModuleActive`). Generation-time pruning would have to run after all 5 merge layers, handle env-var string coercion (`'false' !== false`), and silently diverge the committed generated file.
+
+### Action required for downstream projects (`/update-stack`)
+
+1. All files are devkit-owned → arrive via `/update-stack`. Re-run `npm run generateConfig` (any `dev`/`build`/`preview` does it) so the regenerated config picks up the `module` fields.
+2. **⚠️ If a downstream overrides `admin.tabs` or `users.extraTabs` in its `{project}.config.js`** (deepMerge REPLACES arrays — the override is the whole array), add `module: '<owning-module>'` to any module-owned tab descriptors in the override, or those tabs will keep rendering when that module is deactivated. Tabs without a `module` field are always shown — project-owned tabs need no change.
+3. Deactivating a module (e.g. `modules: { invitations: { activated: false } }`) now hides its surface tabs as well as its routes — no more tab-to-404.
+
+---
+
 ## organizations: org email-invite UI removed (2026-06-11, #4280)
 
 Phase 7 of the invitations↔org decouple epic. Pairs with Node P4 (#3812), which deleted the backends (`POST /api/organizations/:id/invites`, `GET /api/invites/:token`, `POST /api/invites/:token/accept`) — this UI was dead.
diff --git a/src/lib/helpers/surface-tabs.js b/src/lib/helpers/surface-tabs.js
index d003dc05f..82645bc13 100644
--- a/src/lib/helpers/surface-tabs.js
+++ b/src/lib/helpers/surface-tabs.js
@@ -53,22 +53,33 @@ export function isValidTab(tab) {
 }
 
 /**
- * Filter a tabs array by validity then by CASL permissions.
+ * Filter a tabs array by validity, then by CASL permissions, then by module
+ * activation.
  *
  * A tab with no `{action, subject}` pair is always shown (unconditional tabs).
  * Both `action` AND `subject` must be present for the CASL check to apply.
  *
- * Intended for use by surface layouts (org-settings, admin, etc.) to derive
- * their reactive extra-tab list from a config array + a `can` predicate from
- * `useAbility()`.
+ * A tab may carry an optional `module` field naming the optional module that
+ * owns it (e.g. a module-contributed `config.admin.tabs` entry). When the
+ * `isActive` predicate reports that module inactive, the tab is hidden —
+ * keeping render-time tab visibility consistent with route injection, which
+ * already skips deactivated modules (`injectModuleChildren`). Tabs without a
+ * `module` field are never activation-filtered, and the keep-all default
+ * preserves existing 2-argument callers byte-for-byte.
+ *
+ * Intended for use by surface layouts (org-settings, admin, account, etc.)
+ * to derive their reactive extra-tab list from a config array + a `can`
+ * predicate from `useAbility()` (+ optionally `isModuleActive`).
  *
  * @param {Array<unknown>|null|undefined} tabs - Raw tabs from config.
  * @param {(action: string, subject: string) => boolean} can - Required. CASL predicate from `useAbility()`. Must be a function.
- * @returns {Array<object>} Validated + permitted tabs.
+ * @param {(moduleName: string) => boolean} [isActive=() => true] - Optional module-activation predicate (e.g. `isModuleActive`). Defaults to keep-all.
+ * @returns {Array<object>} Validated + permitted + activation-filtered tabs.
  */
-export function resolveSurfaceTabs(tabs, can) {
+export function resolveSurfaceTabs(tabs, can, isActive = () => true) {
   if (typeof can !== 'function') throw new TypeError('[resolveSurfaceTabs] can must be a function');
   return (Array.isArray(tabs) ? tabs : [])
     .filter(isValidTab)
-    .filter((t) => (t.action && t.subject ? can(t.action, t.subject) : true));
+    .filter((t) => (t.action && t.subject ? can(t.action, t.subject) : true))
+    .filter((t) => (t.module ? isActive(t.module) : true));
 }
diff --git a/src/lib/helpers/tests/surface-tabs.unit.tests.js b/src/lib/helpers/tests/surface-tabs.unit.tests.js
index 2e0f9f188..a4d691d48 100644
--- a/src/lib/helpers/tests/surface-tabs.unit.tests.js
+++ b/src/lib/helpers/tests/surface-tabs.unit.tests.js
@@ -182,3 +182,49 @@ describe('resolveSurfaceTabs', () => {
     expect(resolveSurfaceTabs(tabs, can).map((t) => t.value)).toEqual(['billing']);
   });
 });
+
+/**
+ * resolveSurfaceTabs — optional module-activation filter (3rd param).
+ * A tab may carry an optional `module` field naming its owning optional
+ * module; when the `isActive` predicate reports that module inactive the tab
+ * is hidden. Tabs without a `module` field are never activation-filtered,
+ * and omitting `isActive` keeps every tab (backward compatible default).
+ */
+describe('resolveSurfaceTabs — module activation filter', () => {
+  const allowAll = () => true;
+  const tabs = [
+    { value: 'profile', label: 'Profile', route: 'profile' },
+    { value: 'invitations', label: 'Referrals', route: 'invitations', module: 'invitations' },
+  ];
+
+  it('filters out a tab whose module is inactive', () => {
+    const isActive = (name) => name !== 'invitations';
+    expect(resolveSurfaceTabs(tabs, allowAll, isActive).map((t) => t.value)).toEqual(['profile']);
+  });
+
+  it('keeps a tab whose module is active', () => {
+    const isActive = () => true;
+    expect(resolveSurfaceTabs(tabs, allowAll, isActive).map((t) => t.value)).toEqual(['profile', 'invitations']);
+  });
+
+  it('never activation-filters tabs without a module field, even when isActive rejects everything', () => {
+    const isActive = () => false;
+    expect(resolveSurfaceTabs(tabs, allowAll, isActive).map((t) => t.value)).toEqual(['profile']);
+  });
+
+  it('keeps all tabs when isActive is omitted (backward-compatible default)', () => {
+    expect(resolveSurfaceTabs(tabs, allowAll).map((t) => t.value)).toEqual(['profile', 'invitations']);
+  });
+
+  it('applies validity + CASL + activation in one pass', () => {
+    const mixed = [
+      { value: 'profile', label: 'Profile', route: 'profile' },
+      { value: 'denied', label: 'Denied', route: 'denied', action: 'manage', subject: 'Nope' },
+      { value: 'invitations', label: 'Referrals', route: 'invitations', module: 'invitations' },
+      { label: 'broken' },
+    ];
+    const can = (action, subject) => subject !== 'Nope';
+    const isActive = (name) => name !== 'invitations';
+    expect(resolveSurfaceTabs(mixed, can, isActive).map((t) => t.value)).toEqual(['profile']);
+  });
+});
diff --git a/src/modules/admin/tests/admin.activity.view.unit.tests.js b/src/modules/admin/tests/admin.activity.view.unit.tests.js
index d0b1b5353..1021b5ecc 100644
--- a/src/modules/admin/tests/admin.activity.view.unit.tests.js
+++ b/src/modules/admin/tests/admin.activity.view.unit.tests.js
@@ -1,4 +1,4 @@
-import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
 import { setActivePinia, createPinia } from 'pinia';
 import { shallowMount } from '@vue/test-utils';
 import { useAdminStore } from '../stores/admin.store';
@@ -224,3 +224,98 @@ describe('admin.activity.view — template chrome', () => {
     expect(tmpl).toMatch(/@keydown\.space/);
   });
 });
+
+describe('admin.activity.view — debounced card-title filters', () => {
+  let adminStore;
+
+  /**
+   * Mount with a fresh pinia + mocked store action. Call AFTER
+   * vi.useFakeTimers() so the debounce timer is controllable.
+   * @returns {import('@vue/test-utils').VueWrapper}
+   */
+  const mountWithFreshStore = () => {
+    setActivePinia(createPinia());
+    adminStore = useAdminStore();
+    adminStore.getAuditLogs = vi.fn().mockResolvedValue();
+    return mountActivity();
+  };
+
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  it('fetches 1000ms after typing in the action filter (single trailing call, page reset)', async () => {
+    vi.useFakeTimers();
+    const wrapper = mountWithFreshStore();
+    expect(adminStore.getAuditLogs).toHaveBeenCalledTimes(1); // mount fetch
+    wrapper.vm.activityFilterAction = 'auth.log';
+    await wrapper.vm.$nextTick();
+    wrapper.vm.activityFilterAction = 'auth.login';
+    await wrapper.vm.$nextTick();
+    vi.advanceTimersByTime(999);
+    expect(adminStore.getAuditLogs).toHaveBeenCalledTimes(1);
+    vi.advanceTimersByTime(1);
+    expect(adminStore.getAuditLogs).toHaveBeenCalledTimes(2);
+    expect(adminStore.getAuditLogs).toHaveBeenLastCalledWith(
+      expect.objectContaining({ action: 'auth.login', page: 1 }),
+    );
+  });
+
+  it('does not fetch while the user-ID filter is not a valid ObjectId', async () => {
+    vi.useFakeTimers();
+    const wrapper = mountWithFreshStore();
+    wrapper.vm.activityFilterUserId = 'not-an-objectid';
+    await wrapper.vm.$nextTick();
+    vi.advanceTimersByTime(1000);
+    expect(adminStore.getAuditLogs).toHaveBeenCalledTimes(1); // mount fetch only
+    expect(wrapper.vm.activityUserIdValid).toBe(false);
+    wrapper.vm.activityFilterUserId = '507f1f77bcf86cd799439011';
+    await wrapper.vm.$nextTick();
+    vi.advanceTimersByTime(1000);
+    expect(adminStore.getAuditLogs).toHaveBeenCalledTimes(2);
+    expect(adminStore.getAuditLogs).toHaveBeenLastCalledWith(
+      expect.objectContaining({ userId: '507f1f77bcf86cd799439011', page: 1 }),
+    );
+  });
+
+  it('Clear fetches immediately and the trailing debounce does not double-fetch', async () => {
+    vi.useFakeTimers();
+    const wrapper = mountWithFreshStore();
+    wrapper.vm.activityFilterAction = 'auth.login';
+    await wrapper.vm.$nextTick();
+    vi.advanceTimersByTime(1000);
+    expect(adminStore.getAuditLogs).toHaveBeenCalledTimes(2);
+    wrapper.vm.clearActivityFilters();
+    expect(adminStore.getAuditLogs).toHaveBeenCalledTimes(3);
+    await wrapper.vm.$nextTick();
+    vi.advanceTimersByTime(1000);
+    expect(adminStore.getAuditLogs).toHaveBeenCalledTimes(3); // debounce deduped
+  });
+});
+
+describe('admin.activity.view — card-title chrome (datatable parity)', () => {
+  /**
+   * Read the SFC template section from disk.
+   * @returns {string}
+   */
+  const readTemplate = () => {
+    const here = dirname(fileURLToPath(import.meta.url));
+    const sfc = readFileSync(resolve(here, '../views/admin.activity.view.vue'), 'utf8');
+    return sfc.split('<script>')[0];
+  };
+
+  it('mirrors the datatable card-title row: flex title + spacer + two compact outlined filter fields', () => {
+    const tmpl = readTemplate();
+    expect(tmpl).toMatch(/<v-card-title class="d-flex align-center ga-3">/);
+    expect(tmpl).toMatch(/<v-spacer><\/v-spacer>/);
+    expect(tmpl).toMatch(/prepend-inner-icon="fa-solid fa-magnifying-glass"/);
+    expect(tmpl).toMatch(/prepend-inner-icon="fa-solid fa-user"/);
+    expect(tmpl.match(/max-width="280"/g) || []).toHaveLength(2);
+  });
+
+  it('the enter-key + Search-button flow is gone (debounce replaces it)', () => {
+    const tmpl = readTemplate();
+    expect(tmpl).not.toMatch(/@keyup\.enter/);
+    expect(tmpl).not.toMatch(/Search\s*<\/v-btn>/);
+  });
+});
diff --git a/src/modules/admin/tests/admin.layout.unit.tests.js b/src/modules/admin/tests/admin.layout.unit.tests.js
index 61749d227..bda2ef73b 100644
--- a/src/modules/admin/tests/admin.layout.unit.tests.js
+++ b/src/modules/admin/tests/admin.layout.unit.tests.js
@@ -3,7 +3,7 @@ import { mount } from '@vue/test-utils';
 import { createPinia, setActivePinia } from 'pinia';
 import { createVuetify } from 'vuetify';
 
-const adminStoreState = { error: null, currentBreadcrumb: null };
+const adminStoreState = { error: null, currentBreadcrumb: null, readiness: [], getReadiness: vi.fn() };
 const authStoreState = { serverConfig: null };
 
 vi.mock('../stores/admin.store', () => ({
@@ -68,6 +68,8 @@ describe('admin.layout', () => {
     setActivePinia(createPinia());
     adminStoreState.error = null;
     adminStoreState.currentBreadcrumb = null;
+    adminStoreState.readiness = [];
+    adminStoreState.getReadiness = vi.fn();
     authStoreState.serverConfig = null;
   });
 
@@ -151,17 +153,10 @@ describe('admin.layout', () => {
     expect(html.indexOf('Boom')).toBeLessThan(html.indexOf('page-header-tabs-stub'));
   });
 
-  it('renders the mailer warning at the TOP when serverConfig.mail.configured is false', async () => {
+  it('does NOT render a mailer banner even when serverConfig.mail.configured is false (signal lives in the Readiness tab)', async () => {
     authStoreState.serverConfig = { mail: { configured: false } };
     const wrapper = mountLayout();
     await wrapper.vm.$nextTick();
-    const html = wrapper.html();
-    expect(html.indexOf('No mailer configured')).toBeLessThan(html.indexOf('page-header-tabs-stub'));
-  });
-
-  it('does NOT render the mailer warning when mail is configured', () => {
-    authStoreState.serverConfig = { mail: { configured: true } };
-    const wrapper = mountLayout();
     expect(wrapper.html()).not.toContain('No mailer configured');
   });
 
@@ -211,4 +206,40 @@ describe('admin.layout', () => {
     expect(wrapper.text()).toContain('Jane Doe');
   });
 
+  it('fetches readiness on mount when the store has none (feeds the tab badge)', () => {
+    mountLayout();
+    expect(adminStoreState.getReadiness).toHaveBeenCalledTimes(1);
+  });
+
+  it('does not fetch readiness on mount when the store is already populated', () => {
+    adminStoreState.readiness = [{ category: 'database', status: 'ok', message: 'up' }];
+    mountLayout();
+    expect(adminStoreState.getReadiness).not.toHaveBeenCalled();
+  });
+
+  it('does not fetch readiness when landing directly on the readiness tab (view fetches itself)', () => {
+    mountLayout({}, '/admin/readiness');
+    expect(adminStoreState.getReadiness).not.toHaveBeenCalled();
+  });
+
+  it('decorates the readiness tab with a badge equal to the non-ok check count', () => {
+    adminStoreState.readiness = [
+      { category: 'database', status: 'ok', message: 'up' },
+      { category: 'mailer', status: 'warning', message: 'not configured' },
+      { category: 'storage', status: 'error', message: 'unreachable' },
+    ];
+    const wrapper = mountLayout();
+    const tabs = wrapper.findComponent({ name: 'CorePageHeaderTabs' }).props('tabs');
+    const readinessTab = tabs.find((t) => t.value === 'readiness');
+    expect(readinessTab.badge).toBe(2);
+  });
+
+  it('adds no badge field when every readiness check is ok', () => {
+    adminStoreState.readiness = [{ category: 'database', status: 'ok', message: 'up' }];
+    const wrapper = mountLayout();
+    const tabs = wrapper.findComponent({ name: 'CorePageHeaderTabs' }).props('tabs');
+    const readinessTab = tabs.find((t) => t.value === 'readiness');
+    expect(readinessTab.badge).toBeUndefined();
+  });
+
 });
diff --git a/src/modules/admin/views/admin.activity.view.vue b/src/modules/admin/views/admin.activity.view.vue
index 93ddaf222..3cfab54a9 100644
--- a/src/modules/admin/views/admin.activity.view.vue
+++ b/src/modules/admin/views/admin.activity.view.vue
@@ -14,54 +14,42 @@
           <span class="text-body-medium">Audit logging is disabled. Enable it in configuration to start tracking activity.</span>
         </v-alert>
         <v-card v-else width="100%" color="surface" :flat="config.vuetify.theme.flat" :class="config.vuetify.theme.rounded">
-    <v-card-title>
-      <v-row dense align="center">
-        <v-col cols="12" sm="auto">
-          <v-text-field
-            v-model="activityFilterAction"
-            placeholder="Filter by action"
-            hide-details
-            density="compact"
-            variant="outlined"
-            prepend-inner-icon="fa-solid fa-filter"
-            :class="config.vuetify.theme.rounded"
-            max-width="240"
-            @keyup.enter="applyActivityFilters"
-          ></v-text-field>
-        </v-col>
-        <v-col cols="12" sm="auto">
-          <v-text-field
-            v-model="activityFilterUserId"
-            placeholder="Filter by user ID"
-            hide-details
-            density="compact"
-            variant="outlined"
-            prepend-inner-icon="fa-solid fa-user"
-            :class="config.vuetify.theme.rounded"
-            max-width="240"
-            @keyup.enter="applyActivityFilters"
-          ></v-text-field>
-        </v-col>
-        <v-col cols="12" sm="auto">
-          <v-btn
-            variant="tonal"
-            color="primary"
-            class="text-none text-body-medium"
-            :class="config.vuetify.theme.rounded"
-            @click="applyActivityFilters"
-          >
-            <v-icon icon="fa-solid fa-magnifying-glass" size="small" class="mr-2"></v-icon>Search
-          </v-btn>
-          <v-btn
-            v-if="activityFilterAction || activityFilterUserId"
-            variant="text"
-            class="text-none text-body-medium ml-2"
-            @click="clearActivityFilters"
-          >
-            Clear
-          </v-btn>
-        </v-col>
-      </v-row>
+    <v-card-title class="d-flex align-center ga-3">
+      <span class="text-title-medium">Activity</span>
+      <v-spacer></v-spacer>
+      <v-btn
+        v-if="activityFilterAction || activityFilterUserId"
+        color="primary"
+        variant="tonal"
+        size="small"
+        :class="config.vuetify.theme.rounded"
+        class="text-none text-body-medium"
+        @click="clearActivityFilters"
+      >
+        <v-icon icon="fa-solid fa-xmark" size="small" class="mr-2"></v-icon>
+        Clear
+      </v-btn>
+      <v-text-field
+        v-model="activityFilterAction"
+        placeholder="Filter by action"
+        hide-details
+        density="compact"
+        variant="outlined"
+        prepend-inner-icon="fa-solid fa-magnifying-glass"
+        max-width="280"
+        :class="config.vuetify.theme.rounded"
+      ></v-text-field>
+      <v-text-field
+        v-model="activityFilterUserId"
+        placeholder="Filter by user ID"
+        hide-details
+        density="compact"
+        variant="outlined"
+        prepend-inner-icon="fa-solid fa-user"
+        max-width="280"
+        :error="!activityUserIdValid"
+        :class="config.vuetify.theme.rounded"
+      ></v-text-field>
     </v-card-title>
     <v-progress-linear :active="activityLoading" indeterminate color="primary"></v-progress-linear>
     <v-table v-if="!activityLoading && auditLogs.length" fixed-header hover>
@@ -144,15 +132,23 @@
  * Module dependencies.
  */
 import dayjs from 'dayjs';
+import { debounce } from 'lodash-es';
 import { useAdminStore } from '../stores/admin.store';
 
+/**
+ * Mongo ObjectId shape — GET /audit rejects malformed `userId` values with
+ * a 400, so the user-ID filter is gated client-side until it is complete.
+ */
+const OBJECT_ID_REGEX = /^[a-f\d]{24}$/i;
+
 /**
  * Component definition.
  *
  * Activity tab of the admin section — renders the audit-log table with
- * filters and pagination. Fetches on `mounted()` since it is now a routed
- * view (no parent tab model to watch). Mounted as a routed child of
- * `admin.layout.vue` at `/admin/activity`.
+ * card-title filters (debounced 1000ms, mirroring the search field of
+ * `core.datatable.component.vue`) and auditTotal-based pagination. Fetches
+ * on `mounted()` since it is a routed view (no parent tab model to watch).
+ * Mounted as a routed child of `admin.layout.vue` at `/admin/activity`.
  */
 export default {
   name: 'AdminActivity',
@@ -164,6 +160,10 @@ export default {
       activityFilterAction: '',
       activityFilterUserId: '',
       activityExpandedId: null,
+      // Snapshot of the last APPLIED filter pair — lets the trailing
+      // debounce no-op when nothing changed (e.g. right after Clear
+      // already fetched with the reset values).
+      activityAppliedFilters: JSON.stringify(['', '']),
     };
   },
   computed: {
@@ -180,6 +180,15 @@ export default {
     activityHasNextPage() {
       return this.activityPage * this.activityPerPage < this.auditTotal;
     },
+    /**
+     * @desc Whether the user-ID filter is empty or a complete Mongo
+     *       ObjectId. The backend 400s on malformed userId values, so
+     *       debounced fetches are gated on this while the user types.
+     * @returns {boolean}
+     */
+    activityUserIdValid() {
+      return !this.activityFilterUserId || OBJECT_ID_REGEX.test(this.activityFilterUserId);
+    },
   },
   watch: {
     activityPerPage() {
@@ -187,11 +196,24 @@ export default {
       this.fetchActivityLogs();
     },
   },
+  created() {
+    // Mirror core.datatable.component.vue's search wiring: a 1000ms
+    // debounced watcher replaces the old enter-key + Search-button flow.
+    // Stored on the instance (non-reactive) so it can be cancelled.
+    this.debouncedApplyFilters = debounce(() => {
+      this.applyActivityFilters();
+    }, 1000);
+    this.$watch('activityFilterAction', this.debouncedApplyFilters);
+    this.$watch('activityFilterUserId', this.debouncedApplyFilters);
+  },
   mounted() {
     if (!(this.config?.audit && this.config.audit.enabled === false)) {
       this.fetchActivityLogs();
     }
   },
+  beforeUnmount() {
+    this.debouncedApplyFilters.cancel();
+  },
   methods: {
     /**
      * @desc Format an ISO date string for display in the activity table.
@@ -210,9 +232,11 @@ export default {
       this.activityExpandedId = this.activityExpandedId === id ? null : id;
     },
     /**
-     * @desc Fetch audit logs from the store with current filters and pagination.
-     *       Loading flag is always cleared, even if the store action rejects,
-     *       so the progress bar does not stay pinned on failure.
+     * @desc Fetch audit logs from the store with current filters and
+     *       pagination. The userId param is only sent when it is a valid
+     *       ObjectId (backend 400s otherwise). Loading flag is always
+     *       cleared, even if the store action rejects, so the progress bar
+     *       does not stay pinned on failure.
      * @returns {Promise<void>}
      */
     async fetchActivityLogs() {
@@ -220,7 +244,7 @@ export default {
       try {
         await useAdminStore().getAuditLogs({
           action: this.activityFilterAction || undefined,
-          userId: this.activityFilterUserId || undefined,
+          userId: this.activityUserIdValid ? this.activityFilterUserId || undefined : undefined,
           page: this.activityPage,
           perPage: this.activityPerPage,
         });
@@ -228,15 +252,24 @@ export default {
         this.activityLoading = false;
       }
     },
-    /** @desc Apply activity filters and reset to page 1. */
+    /**
+     * @desc Apply activity filters and reset to page 1. Skips when the
+     *       user-ID filter is incomplete, and dedupes against the last
+     *       applied pair so the trailing debounce after Clear is a no-op.
+     */
     applyActivityFilters() {
+      if (!this.activityUserIdValid) return;
+      const next = JSON.stringify([this.activityFilterAction, this.activityFilterUserId]);
+      if (next === this.activityAppliedFilters) return;
+      this.activityAppliedFilters = next;
       this.activityPage = 1;
       this.fetchActivityLogs();
     },
-    /** @desc Clear all activity filters and reset to page 1. */
+    /** @desc Clear all activity filters, reset to page 1 and refetch. */
     clearActivityFilters() {
       this.activityFilterAction = '';
       this.activityFilterUserId = '';
+      this.activityAppliedFilters = JSON.stringify(['', '']);
       this.activityPage = 1;
       this.fetchActivityLogs();
     },
diff --git a/src/modules/admin/views/admin.layout.vue b/src/modules/admin/views/admin.layout.vue
index a4c6897d5..7d67bbcc5 100644
--- a/src/modules/admin/views/admin.layout.vue
+++ b/src/modules/admin/views/admin.layout.vue
@@ -13,19 +13,6 @@
     >
       <span class="text-body-medium">{{ error }}</span>
     </v-alert>
-    <v-alert
-      v-if="showMailerWarning"
-      type="warning"
-      variant="tonal"
-      density="compact"
-      class="mx-2 mt-2"
-      :class="config.vuetify.theme.rounded"
-      icon="fa-solid fa-triangle-exclamation"
-    >
-      <span class="text-body-medium">
-        No mailer configured. Users can register with any email without verification. Set up SMTP to enable email verification.
-      </span>
-    </v-alert>
 
     <CorePageHeaderTabs
       icon="fa-solid fa-user-tie"
@@ -52,7 +39,6 @@
 import CorePageHeaderTabs from '../../core/components/core.pageHeaderTabs.component.vue';
 import { ability } from '../../../lib/helpers/ability';
 import { useAdminStore } from '../stores/admin.store';
-import { useAuthStore } from '../../auth/stores/auth.store';
 
 /**
  * Built-in admin tabs (canonical). Downstream apps may add more via
@@ -69,10 +55,11 @@ const BUILT_IN_TABS = Object.freeze([
 /**
  * Component definition.
  *
- * `admin.layout.vue` is the parent layout for the admin section. It renders
- * banners (error + mailer-not-configured warning), a page header that either
- * shows the admin tab bar (list-page mode) or a breadcrumb pushed by a sub-
- * view (detail-page mode), and a `<router-view>` for nested children.
+ * `admin.layout.vue` is the parent layout for the admin section. It renders an
+ * error banner, a page header that either shows the admin tab bar (list-page
+ * mode) or a breadcrumb pushed by a sub-view (detail-page mode), and a
+ * `<router-view>` for nested children. Mailer readiness is reported by the
+ * Readiness tab only — no layout-level banner.
  *
  * Tab rendering is delegated to `CoreSurfaceTabBar` (the same primitive used
  * by `user.view.vue` and `organization.detail.component.vue`) — full chrome
@@ -98,13 +85,6 @@ export default {
     error() {
       return useAdminStore().error;
     },
-    /**
-     * @desc Whether to show the mailer-not-configured warning across admin tabs.
-     * @returns {boolean}
-     */
-    showMailerWarning() {
-      return useAuthStore().serverConfig?.mail?.configured === false;
-    },
     /**
      * @desc Current breadcrumb published by an admin sub-view via
      *       `useAdminStore().setBreadcrumb(...)`. When set, the layout renders
@@ -114,15 +94,31 @@ export default {
     currentBreadcrumb() {
       return useAdminStore().currentBreadcrumb;
     },
+    /**
+     * @desc Number of readiness checks that are not OK — drives the badge
+     *       on the built-in Readiness tab.
+     * @returns {number}
+     */
+    readinessWarnings() {
+      const checks = useAdminStore().readiness;
+      if (!Array.isArray(checks)) return 0;
+      return checks.filter((c) => c && c.status !== 'ok').length;
+    },
     /**
      * @desc Merged tab list (built-in + config-driven extras), passed to
      *       CoreSurfaceTabBar. Validation and CASL filtering happen inside
-     *       the bar via `resolveSurfaceTabs`.
+     *       the bar via `resolveSurfaceTabs`. The built-in Readiness tab is
+     *       decorated with an optional numeric `badge` (non-ok check count)
+     *       that CoreSurfaceTabBar renders as a small warning chip.
      * @returns {Array<object>}
      */
     allTabs() {
       const extras = Array.isArray(this.config?.admin?.tabs) ? this.config.admin.tabs : [];
-      return [...BUILT_IN_TABS, ...extras];
+      const tabs = [...BUILT_IN_TABS, ...extras];
+      if (this.readinessWarnings > 0) {
+        return tabs.map((t) => (t.value === 'readiness' ? { ...t, badge: this.readinessWarnings } : t));
+      }
+      return tabs;
     },
     /**
      * @desc Reactive CASL predicate passed to CoreSurfaceTabBar. Falls back
@@ -134,6 +130,20 @@ export default {
       return (action, subject) => (ability ? ability.can(action, subject) : true);
     },
   },
+  mounted() {
+    // Readiness data feeds the tab badge. The readiness view fetches on its
+    // own mount, and child mounted() runs BEFORE the parent's — so when the
+    // user lands directly on /admin/readiness a request is already in
+    // flight and an empty-store check alone would still double-hit
+    // GET /admin/readiness. Skip that route entirely; everywhere else,
+    // fetch once iff the store has no readiness data yet (fire-and-forget;
+    // the store sanitizes failures into its own `error` state).
+    if (this.$route?.path?.startsWith('/admin/readiness')) return;
+    const adminStore = useAdminStore();
+    if (!Array.isArray(adminStore.readiness) || adminStore.readiness.length === 0) {
+      adminStore.getReadiness();
+    }
+  },
   methods: {
     /**
      * @desc Clear the global admin error banner.
diff --git a/src/modules/auth/components/auth.adminMailerWarning.component.vue b/src/modules/auth/components/auth.adminMailerWarning.component.vue
deleted file mode 100644
index bd56faa0d..000000000
--- a/src/modules/auth/components/auth.adminMailerWarning.component.vue
+++ /dev/null
@@ -1,101 +0,0 @@
-<template>
-  <v-snackbar
-    v-model="visible"
-    location="top right"
-    color="warning"
-    :timeout="-1"
-    multi-line
-  >
-    <span class="text-body-medium">
-      <v-icon icon="fa-solid fa-triangle-exclamation" size="small" class="mr-1"></v-icon>
-      No mailer configured. Users can register with any email without verification. Set up SMTP to enable email verification.
-    </span>
-    <template #actions>
-      <v-btn
-        variant="text"
-        size="small"
-        icon="$close"
-        @click="dismiss"
-      />
-    </template>
-  </v-snackbar>
-</template>
-
-<script>
-/**
- * Module dependencies.
- */
-import { useAuthStore } from '../stores/auth.store';
-/**
- * Component definition.
- */
-export default {
-  name: 'AuthAdminMailerWarning',
-  data() {
-    return {
-      dismissed: sessionStorage.getItem('adminMailerWarningDismissed') === 'true',
-    };
-  },
-  computed: {
-    /**
-     * @desc Whether the user is currently logged in.
-     * @returns {boolean}
-     */
-    isLoggedIn() {
-      const authStore = useAuthStore();
-      return authStore.isLoggedIn;
-    },
-    /**
-     * @desc The current authenticated user object.
-     * @returns {Object|null}
-     */
-    user() {
-      const authStore = useAuthStore();
-      return authStore.user;
-    },
-    /**
-     * @desc Whether the user has admin role.
-     * @returns {boolean}
-     */
-    isAdmin() {
-      return !!(this.user?.roles?.includes('admin'));
-    },
-    /**
-     * @desc Whether the server has mail/SMTP configured.
-     * @returns {boolean}
-     */
-    mailConfigured() {
-      const authStore = useAuthStore();
-      return authStore.serverConfig?.mail?.configured;
-    },
-    /**
-     * @desc Whether the warning should be shown.
-     * @returns {boolean}
-     */
-    shouldShow() {
-      return this.isLoggedIn && this.isAdmin && this.mailConfigured === false;
-    },
-    /**
-     * @desc v-model binding for the snackbar visibility.
-     */
-    visible: {
-      get() {
-        return this.shouldShow && !this.dismissed;
-      },
-      set(val) {
-        if (!val) this.dismiss();
-      },
-    },
-  },
-  methods: {
-    /**
-     * @desc Dismiss the warning and persist in sessionStorage.
-     * @returns {void}
-     */
-    dismiss() {
-      this.dismissed = true;
-      sessionStorage.setItem('adminMailerWarningDismissed', 'true');
-    },
-  },
-};
-</script>
diff --git a/src/modules/auth/tests/auth.adminMailerWarning.component.unit.tests.js b/src/modules/auth/tests/auth.adminMailerWarning.component.unit.tests.js
deleted file mode 100644
index 70d4a974c..000000000
--- a/src/modules/auth/tests/auth.adminMailerWarning.component.unit.tests.js
+++ /dev/null
@@ -1,116 +0,0 @@
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { mount } from '@vue/test-utils';
-import { createPinia, setActivePinia } from 'pinia';
-import { createVuetify } from 'vuetify';
-
-// v-snackbar uses visualViewport which is not available in jsdom
-if (typeof globalThis.visualViewport === 'undefined') {
-  globalThis.visualViewport = { addEventListener: vi.fn(), removeEventListener: vi.fn(), width: 1024, height: 768 };
-}
-
-const storeMock = vi.hoisted(() => ({
-  isLoggedIn: false,
-  user: null,
-  serverConfig: null,
-}));
-
-vi.mock('../stores/auth.store', () => ({
-  useAuthStore: () => storeMock,
-}));
-
-import AuthAdminMailerWarning from '../components/auth.adminMailerWarning.component.vue';
-
-/**
- * Mount the admin mailer warning component with Vuetify installed.
- * @returns {import('@vue/test-utils').VueWrapper} mounted wrapper
- */
-const mountComponent = () =>
-  mount(AuthAdminMailerWarning, {
-    global: {
-      plugins: [createVuetify()],
-    },
-  });
-
-describe('auth.adminMailerWarning.component', () => {
-  beforeEach(() => {
-    setActivePinia(createPinia());
-    storeMock.isLoggedIn = false;
-    storeMock.user = null;
-    storeMock.serverConfig = null;
-    sessionStorage.removeItem('adminMailerWarningDismissed');
-  });
-
-  it('does not show when user is not logged in', () => {
-    storeMock.isLoggedIn = false;
-    const wrapper = mountComponent();
-
-    expect(wrapper.vm.shouldShow).toBe(false);
-  });
-
-  it('does not show when user is not admin', () => {
-    storeMock.isLoggedIn = true;
-    storeMock.user = { roles: ['user'] };
-    storeMock.serverConfig = { mail: { configured: false } };
-    const wrapper = mountComponent();
-
-    expect(wrapper.vm.shouldShow).toBe(false);
-  });
-
-  it('does not show when mail is configured', () => {
-    storeMock.isLoggedIn = true;
-    storeMock.user = { roles: ['admin'] };
-    storeMock.serverConfig = { mail: { configured: true } };
-    const wrapper = mountComponent();
-
-    expect(wrapper.vm.shouldShow).toBe(false);
-  });
-
-  it('shows when admin is logged in and mail is not configured', () => {
-    storeMock.isLoggedIn = true;
-    storeMock.user = { roles: ['admin'] };
-    storeMock.serverConfig = { mail: { configured: false } };
-    const wrapper = mountComponent();
-
-    expect(wrapper.vm.shouldShow).toBe(true);
-    expect(wrapper.vm.visible).toBe(true);
-  });
-
-  it('does not show when serverConfig is null (config still loading)', () => {
-    storeMock.isLoggedIn = true;
-    storeMock.user = { roles: ['admin'] };
-    storeMock.serverConfig = null;
-    const wrapper = mountComponent();
-
-    expect(wrapper.vm.shouldShow).toBe(false);
-    expect(wrapper.vm.visible).toBe(false);
-  });
-
-  it('hides when dismissed via dismiss() and persists in sessionStorage', () => {
-    storeMock.isLoggedIn = true;
-    storeMock.user = { roles: ['admin'] };
-    storeMock.serverConfig = { mail: { configured: false } };
-    const wrapper = mountComponent();
-
-    expect(wrapper.vm.visible).toBe(true);
-
-    wrapper.vm.dismiss();
-
-    expect(wrapper.vm.visible).toBe(false);
-    expect(sessionStorage.getItem('adminMailerWarningDismissed')).toBe('true');
-  });
-
-  it('hides when dismissed via visible setter (implicit close) and persists in sessionStorage', async () => {
-    storeMock.isLoggedIn = true;
-    storeMock.user = { roles: ['admin'] };
-    storeMock.serverConfig = { mail: { configured: false } };
-    const wrapper = mountComponent();
-
-    expect(wrapper.vm.visible).toBe(true);
-
-    wrapper.vm.visible = false;
-    await wrapper.vm.$nextTick();
-
-    expect(wrapper.vm.visible).toBe(false);
-    expect(sessionStorage.getItem('adminMailerWarningDismissed')).toBe('true');
-  });
-});
diff --git a/src/modules/core/components/core.surfaceTabBar.component.vue b/src/modules/core/components/core.surfaceTabBar.component.vue
index 7c86a8f4f..e896ff517 100644
--- a/src/modules/core/components/core.surfaceTabBar.component.vue
+++ b/src/modules/core/components/core.surfaceTabBar.component.vue
@@ -1,18 +1,22 @@
 <script setup>
 import { computed } from 'vue';
 import { resolveSurfaceTabs } from '@/lib/helpers/surface-tabs';
+import { isModuleActive } from '@/lib/helpers/modules';
 
 defineOptions({ name: 'CoreSurfaceTabBar' });
 
 /**
  * SurfaceTabBar — a cosmetic tab strip that renders only the tabs allowed by
- * reactive CASL. Filtering is done via `resolveSurfaceTabs`, which validates
- * descriptors AND applies the `can` predicate.
+ * reactive CASL AND module activation. Filtering is done via
+ * `resolveSurfaceTabs`, which validates descriptors, applies the `can`
+ * predicate, and hides tabs whose optional `module` field names a
+ * deactivated module (`isModuleActive`, config-backed).
  *
  * Decoupling contract: this component does NOT import CASL/ability itself.
- * The parent owns the ability source and passes `can` as a prop. The computed
- * getter re-evaluates automatically whenever `tabs` or `can` change — no
- * remount needed.
+ * The parent owns the ability source and passes `can` as a prop. Module
+ * activation is config-backed (not ability-backed), so `isModuleActive` is
+ * imported directly. The computed getter re-evaluates automatically whenever
+ * `tabs` or `can` change — no remount needed.
  */
 const props = defineProps({
   /** Raw tab descriptors from config. */
@@ -35,7 +39,7 @@ const props = defineProps({
   },
 });
 
-const visibleTabs = computed(() => resolveSurfaceTabs(props.tabs, props.can));
+const visibleTabs = computed(() => resolveSurfaceTabs(props.tabs, props.can, isModuleActive));
 
 /**
  * Resolve a tab descriptor to a concrete absolute path.
@@ -64,6 +68,13 @@ function tabTo(route) {
     >
       <v-icon v-if="t.icon" :icon="t.icon" class="mr-2" />
       {{ t.label }}
+      <!-- Optional numeric badge on a tab descriptor (e.g. the admin
+           readiness warning count). Additive: tabs without a `badge`
+           field render exactly as before, so the Account / Organization
+           surfaces sharing this component are unaffected. -->
+      <v-chip v-if="t.badge > 0" size="small" density="compact" variant="tonal" color="warning" class="ml-1">
+        {{ t.badge }}
+      </v-chip>
     </v-tab>
   </v-tabs>
 </template>
diff --git a/src/modules/core/components/tests/core.surfaceTabBar.component.unit.tests.js b/src/modules/core/components/tests/core.surfaceTabBar.component.unit.tests.js
index 96f3b4cb5..70056d852 100644
--- a/src/modules/core/components/tests/core.surfaceTabBar.component.unit.tests.js
+++ b/src/modules/core/components/tests/core.surfaceTabBar.component.unit.tests.js
@@ -135,3 +135,36 @@ describe('SurfaceTabBar — path composition', () => {
     expect(wrapper.find('.v-tab-stub').attributes('href')).toBe('/admin/x');
   });
 });
+
+describe('SurfaceTabBar — optional tab badge', () => {
+  it('renders a small tonal warning chip with the count after the label when badge > 0', () => {
+    const wrapper = mountBar({
+      tabs: [{ value: 'readiness', label: 'Readiness', route: 'readiness', badge: 3 }],
+      can: () => true,
+      basePath: '/admin',
+    });
+    const chip = wrapper.findComponent({ name: 'VChip' });
+    expect(chip.exists()).toBe(true);
+    expect(chip.text()).toBe('3');
+    expect(chip.props('color')).toBe('warning');
+    expect(chip.props('variant')).toBe('tonal');
+  });
+
+  it('renders no chip when badge is 0', () => {
+    const wrapper = mountBar({
+      tabs: [{ value: 'readiness', label: 'Readiness', route: 'readiness', badge: 0 }],
+      can: () => true,
+      basePath: '/admin',
+    });
+    expect(wrapper.findComponent({ name: 'VChip' }).exists()).toBe(false);
+  });
+
+  it('renders no chip when badge is absent (existing surfaces unaffected)', () => {
+    const wrapper = mountBar({
+      tabs: [{ value: 'general', label: 'General', route: 'general' }],
+      can: () => true,
+      basePath: '/users/organizations/1',
+    });
+    expect(wrapper.findComponent({ name: 'VChip' }).exists()).toBe(false);
+  });
+});
diff --git a/src/modules/invitations/config/invitations.development.config.js b/src/modules/invitations/config/invitations.development.config.js
index f225dc3c5..65117e2b8 100644
--- a/src/modules/invitations/config/invitations.development.config.js
+++ b/src/modules/invitations/config/invitations.development.config.js
@@ -9,14 +9,19 @@ export default {
   // `users` alphabetically, so contributing `users.tabs` here would clobber the
   // base Profile/Organizations tabs. `extraTabs` is a fresh key owned by nobody,
   // so it merges cleanly into the `users` config object.
+  //
+  // The `module` field marks each tab as owned by this optional module so
+  // CoreSurfaceTabBar (via resolveSurfaceTabs + isModuleActive) hides it when
+  // `modules.invitations.activated` is false — mirroring the route-injection
+  // gate, which already skips deactivated modules.
   admin: {
     tabs: [
-      { value: 'invitations', label: 'Invitations', icon: 'fa-solid fa-envelope', route: 'invitations', action: 'manage', subject: 'UserAdmin' },
+      { value: 'invitations', label: 'Invitations', icon: 'fa-solid fa-envelope', route: 'invitations', action: 'manage', subject: 'UserAdmin', module: 'invitations' },
     ],
   },
   users: {
     extraTabs: [
-      { value: 'invitations', label: 'Referrals', icon: 'fa-solid fa-gift', route: 'invitations', action: 'create', subject: 'Invitation' },
+      { value: 'invitations', label: 'Referrals', icon: 'fa-solid fa-gift', route: 'invitations', action: 'create', subject: 'Invitation', module: 'invitations' },
     ],
   },
   modules: {
diff --git a/src/modules/invitations/stores/invitations.store.js b/src/modules/invitations/stores/invitations.store.js
index b2aa1d6d7..4e7ac6660 100644
--- a/src/modules/invitations/stores/invitations.store.js
+++ b/src/modules/invitations/stores/invitations.store.js
@@ -67,7 +67,8 @@ export const useInvitationsStore = defineStore('invitations', {
      * Re-emits the `invitation_created` analytics event so the funnel parity is
      * preserved after the org `invitation_sent` capture is dropped (P7).
      * @param {string} email
-     * @returns {Promise<Object>} the created invitation
+     * @returns {Promise<Object>} the created invitation — includes the one-time
+     * `token` (the list endpoint strips it; copy-link surfaces MUST read it here)
      */
     async createInvitation(email) {
       this.error = null;
@@ -82,6 +83,26 @@ export const useInvitationsStore = defineStore('invitations', {
       }
     },
 
+    /**
+     * @desc Re-send the invitation email for a still-pending invitation. The
+     * backend re-uses the EXISTING token (no regeneration), so a previously
+     * shared link stays valid. Success/error toast is fired by the axios POST
+     * interceptor.
+     * @param {string} id
+     * @returns {Promise<Object>} the resent invitation
+     */
+    async resendInvitation(id) {
+      this.error = null;
+      try {
+        const res = await axios.post(`${apiBase()}/invitations/${id}/resend`);
+        return res.data.data;
+      } catch (err) {
+        this.error = sanitizeApiError(err);
+        logger.error(err);
+        throw err;
+      }
+    },
+
     /**
      * @desc Revoke a signup invitation by id.
      * @param {string} id
diff --git a/src/modules/invitations/tests/invitations.account.view.unit.tests.js b/src/modules/invitations/tests/invitations.account.view.unit.tests.js
index b7227dea0..42cb4b6fe 100644
--- a/src/modules/invitations/tests/invitations.account.view.unit.tests.js
+++ b/src/modules/invitations/tests/invitations.account.view.unit.tests.js
@@ -41,7 +41,7 @@ const stubs = {
 const mountView = () =>
   shallowMount(InvitationsAccount, {
     global: {
-      mocks: { config: { vuetify: { theme: { flat: true, rounded: 'rounded-lg' } } } },
+      mocks: { config: { vuetify: { theme: { flat: true, rounded: 'rounded-lg' } }, app: { url: 'https://app.example.test' } } },
       stubs,
     },
   });
@@ -218,3 +218,66 @@ describe('invitations.account.view', () => {
     expect(wrapper.find('[data-test="referrals-summary"]').exists()).toBe(true);
   });
 });
+
+describe('invitations.account.view — one-time copy-link (#3834)', () => {
+  let store;
+  const writeText = vi.fn();
+
+  beforeEach(() => {
+    // Task 2b's describe leaves the hoisted auth-store mock with signup OPEN
+    // ({ sign: { up: true } }), which hides the <template v-else> form branch
+    // these tests render into — reset to the signup-closed default first.
+    authStoreMock.serverConfig = { sign: { in: true, up: false } };
+    setActivePinia(createPinia());
+    store = useInvitationsStore();
+    store.getInvitations = vi.fn().mockResolvedValue();
+    store.createInvitation = vi.fn().mockResolvedValue({ id: '9', email: 'x@y.co', token: 'tok-9' });
+    writeText.mockReset().mockResolvedValue();
+    Object.defineProperty(globalThis.navigator, 'clipboard', { value: { writeText }, configurable: true });
+  });
+
+  it('submitInvite surfaces the one-time copy link when the response carries a token', async () => {
+    const wrapper = mountView();
+    wrapper.vm.inviteForm.valid = true;
+    wrapper.vm.inviteForm.email = 'new@b.co';
+    await wrapper.vm.submitInvite();
+    expect(wrapper.vm.createdLink).toBe('https://app.example.test/signup?inviteToken=tok-9');
+    expect(wrapper.vm.linkCopied).toBe(false);
+    expect(wrapper.vm.inviteForm.email).toBe(''); // form still resets
+  });
+
+  it('submitInvite without a token leaves the link block hidden (no dead link)', async () => {
+    store.createInvitation = vi.fn().mockResolvedValue({ id: '9', email: 'x@y.co' });
+    const wrapper = mountView();
+    wrapper.vm.inviteForm.valid = true;
+    wrapper.vm.inviteForm.email = 'new@b.co';
+    await wrapper.vm.submitInvite();
+    expect(wrapper.vm.createdLink).toBeNull();
+  });
+
+  it('renders the one-time link block with the copy button when createdLink is set', async () => {
+    const wrapper = mountView();
+    wrapper.vm.createdLink = 'https://app.example.test/signup?inviteToken=tok-9';
+    await wrapper.vm.$nextTick();
+    const block = wrapper.find('[data-test="invite-created-link"]');
+    expect(block.exists()).toBe(true);
+    expect(block.text()).toContain('signup?inviteToken=tok-9');
+    expect(wrapper.find('[data-test="copy-invite-link"]').exists()).toBe(true);
+  });
+
+  it('copyCreatedLink writes to the clipboard and flips Copy link → Copied', async () => {
+    const wrapper = mountView();
+    wrapper.vm.createdLink = 'https://app.example.test/signup?inviteToken=tok-9';
+    await wrapper.vm.copyCreatedLink();
+    expect(writeText).toHaveBeenCalledWith('https://app.example.test/signup?inviteToken=tok-9');
+    expect(wrapper.vm.linkCopied).toBe(true);
+  });
+
+  it('copyCreatedLink clipboard failure: no throw, Copied not shown', async () => {
+    writeText.mockRejectedValueOnce(new Error('denied'));
+    const wrapper = mountView();
+    wrapper.vm.createdLink = 'https://app.example.test/signup?inviteToken=tok-9';
+    await expect(wrapper.vm.copyCreatedLink()).resolves.toBeUndefined();
+    expect(wrapper.vm.linkCopied).toBe(false);
+  });
+});
diff --git a/src/modules/invitations/tests/invitations.admin.view.unit.tests.js b/src/modules/invitations/tests/invitations.admin.view.unit.tests.js
index 031df8084..edda98e84 100644
--- a/src/modules/invitations/tests/invitations.admin.view.unit.tests.js
+++ b/src/modules/invitations/tests/invitations.admin.view.unit.tests.js
@@ -57,7 +57,7 @@ const stubs = {
 const mountView = () =>
   shallowMount(InvitationsAdmin, {
     global: {
-      mocks: { config: { vuetify: { theme: { flat: true, rounded: 'rounded-lg' } } } },
+      mocks: { config: { vuetify: { theme: { flat: true, rounded: 'rounded-lg' } }, app: { url: 'https://app.example.test' } } },
       stubs,
     },
   });
@@ -128,7 +128,7 @@ describe('invitations.admin.view', () => {
     // Simulate a dirty dialog state before opening
     wrapper.vm.createDialog = { show: false, email: 'old@b.co', valid: true, loading: true };
     wrapper.vm.openCreate();
-    expect(wrapper.vm.createDialog).toEqual({ show: true, email: '', valid: false, loading: false });
+    expect(wrapper.vm.createDialog).toEqual({ show: true, email: '', valid: false, loading: false, createdLink: null, copied: false });
   });
 
   it('openRevoke populates deleteDialog with the item id and email', () => {
@@ -244,3 +244,83 @@ describe('invitations.admin.view', () => {
     }
   });
 });
+
+describe('invitations.admin.view — copy-link + resend (#3834)', () => {
+  let store;
+  const writeText = vi.fn();
+
+  beforeEach(() => {
+    setActivePinia(createPinia());
+    store = useInvitationsStore();
+    store.getInvitations = vi.fn().mockResolvedValue();
+    store.createInvitation = vi.fn().mockResolvedValue({ id: '9', email: 'x@y.co', token: 'tok-9' });
+    store.deleteInvitation = vi.fn().mockResolvedValue();
+    store.resendInvitation = vi.fn().mockResolvedValue({ id: '7', status: 'pending' });
+    // FIRST clipboard code in the repo — happy-dom needs an explicit mock.
+    writeText.mockReset().mockResolvedValue();
+    Object.defineProperty(globalThis.navigator, 'clipboard', { value: { writeText }, configurable: true });
+  });
+
+  it('signupLink builds the config-based one-time URL (null without a token)', () => {
+    const wrapper = mountView();
+    expect(wrapper.vm.signupLink('tok-9')).toBe('https://app.example.test/signup?inviteToken=tok-9');
+    expect(wrapper.vm.signupLink(undefined)).toBeNull();
+  });
+
+  it('submitInvite keeps the dialog open with the one-time link when the response carries a token', async () => {
+    const wrapper = mountView();
+    wrapper.vm.createDialog = { show: true, email: 'new@b.co', valid: true, loading: false, createdLink: null, copied: false };
+    await wrapper.vm.submitInvite();
+    expect(wrapper.vm.createDialog.show).toBe(true); // NOT closed — one-time copy chance
+    expect(wrapper.vm.createDialog.createdLink).toBe('https://app.example.test/signup?inviteToken=tok-9');
+    expect(wrapper.vm.createDialog.copied).toBe(false);
+    expect(store.getInvitations).toHaveBeenCalled();
+  });
+
+  it('submitInvite without a token in the response closes the dialog (no dead link shown)', async () => {
+    store.createInvitation = vi.fn().mockResolvedValue({ id: '9', email: 'x@y.co' });
+    const wrapper = mountView();
+    wrapper.vm.createDialog = { show: true, email: 'new@b.co', valid: true, loading: false, createdLink: null, copied: false };
+    await wrapper.vm.submitInvite();
+    expect(wrapper.vm.createDialog.show).toBe(false);
+    expect(wrapper.vm.createDialog.createdLink).toBeNull();
+  });
+
+  it('copyCreatedLink writes the link to the clipboard and flips the label to Copied', async () => {
+    const wrapper = mountView();
+    wrapper.vm.createDialog.createdLink = 'https://app.example.test/signup?inviteToken=tok-9';
+    await wrapper.vm.copyCreatedLink();
+    expect(writeText).toHaveBeenCalledWith('https://app.example.test/signup?inviteToken=tok-9');
+    expect(wrapper.vm.createDialog.copied).toBe(true);
+  });
+
+  it('copyCreatedLink clipboard failure: no throw, label does NOT flip (link stays selectable)', async () => {
+    writeText.mockRejectedValueOnce(new Error('denied'));
+    const wrapper = mountView();
+    wrapper.vm.createDialog.createdLink = 'https://app.example.test/signup?inviteToken=tok-9';
+    await expect(wrapper.vm.copyCreatedLink()).resolves.toBeUndefined();
+    expect(wrapper.vm.createDialog.copied).toBe(false);
+  });
+
+  it('resendInvite delegates to the store with the row id and resets the single-flight guard', async () => {
+    const wrapper = mountView();
+    await wrapper.vm.resendInvite({ id: '7', status: 'pending' });
+    expect(store.resendInvitation).toHaveBeenCalledWith('7');
+    expect(wrapper.vm.resendingId).toBeNull();
+  });
+
+  it('resendInvite is single-flight: a call while one is in-flight no-ops', async () => {
+    const wrapper = mountView();
+    wrapper.vm.resendingId = 'other';
+    await wrapper.vm.resendInvite({ id: '7', status: 'pending' });
+    expect(store.resendInvitation).not.toHaveBeenCalled();
+  });
+
+  it('resendInvite error path: no throw, guard reset, _id-only rows supported', async () => {
+    store.resendInvitation = vi.fn().mockRejectedValue(new Error('Conflict'));
+    const wrapper = mountView();
+    await expect(wrapper.vm.resendInvite({ _id: 'm1', status: 'pending' })).resolves.toBeUndefined();
+    expect(store.resendInvitation).toHaveBeenCalledWith('m1');
+    expect(wrapper.vm.resendingId).toBeNull();
+  });
+});
diff --git a/src/modules/invitations/tests/invitations.store.unit.tests.js b/src/modules/invitations/tests/invitations.store.unit.tests.js
index 080070058..762c36eb5 100644
--- a/src/modules/invitations/tests/invitations.store.unit.tests.js
+++ b/src/modules/invitations/tests/invitations.store.unit.tests.js
@@ -139,4 +139,34 @@ describe('invitations store', () => {
     expect(store.error).toBe('Failed to load data. Please try again.');
     consoleErrorSpy.mockRestore();
   });
+
+  // ── #3834 invitation ops: resend + the one-time token contract ──
+
+  it('createInvitation returns the created invite INCLUDING the one-time token (copy-link source)', async () => {
+    const store = useInvitationsStore();
+    axios.post.mockResolvedValueOnce({ data: { data: { id: '2', email: 'new@b.co', token: 'tok-abc' } } });
+    const result = await store.createInvitation('new@b.co');
+    // The list endpoint strips tokens server-side — the create response is the
+    // ONLY place a /signup?inviteToken= link can ever be built from.
+    expect(result.token).toBe('tok-abc');
+  });
+
+  it('resendInvitation POSTs to /api/invitations/:id/resend and returns the invitation', async () => {
+    const store = useInvitationsStore();
+    axios.post.mockResolvedValueOnce({ data: { data: { id: '4', email: 'a@b.co', status: 'pending' } } });
+    const result = await store.resendInvitation('4');
+    expect(axios.post).toHaveBeenCalledWith(expect.stringMatching(/\/api\/invitations\/4\/resend$/));
+    expect(axios.post).not.toHaveBeenCalledWith(expect.stringMatching(/\/auth\/invitations/));
+    expect(result).toEqual({ id: '4', email: 'a@b.co', status: 'pending' });
+  });
+
+  it('resendInvitation sets error state and rethrows on API failure', async () => {
+    const store = useInvitationsStore();
+    const consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    axios.post.mockRejectedValueOnce(new Error('Conflict'));
+    await expect(store.resendInvitation('9')).rejects.toThrow('Conflict');
+    expect(store.error).toBe('Failed to load data. Please try again.');
+    expect(consoleErrorSpy).toHaveBeenCalled();
+    consoleErrorSpy.mockRestore();
+  });
 });
diff --git a/src/modules/invitations/views/invitations.account.view.vue b/src/modules/invitations/views/invitations.account.view.vue
index b75e3509e..576f155e1 100644
--- a/src/modules/invitations/views/invitations.account.view.vue
+++ b/src/modules/invitations/views/invitations.account.view.vue
@@ -67,6 +67,39 @@
                 </v-btn>
               </div>
             </v-form>
+            <!-- One-time copy-link: built from the create response only (the list
+                 endpoint strips tokens). Local label-flip feedback — the global
+                 snackbar is interceptor-only and a copy is not an HTTP call. -->
+            <v-alert
+              v-if="createdLink"
+              type="success"
+              variant="tonal"
+              density="compact"
+              class="mt-4"
+              :class="config.vuetify.theme.rounded"
+              data-test="invite-created-link"
+              closable
+              @click:close="createdLink = null"
+            >
+              <div class="d-flex align-center flex-wrap ga-2">
+                <span class="text-body-medium flex-grow-1">
+                  Invitation sent. This signup link is shown only once:
+                  <code class="text-body-small d-block mt-1">{{ createdLink }}</code>
+                </span>
+                <v-btn
+                  color="success"
+                  variant="tonal"
+                  size="small"
+                  :class="config.vuetify.theme.rounded"
+                  class="text-none"
+                  data-test="copy-invite-link"
+                  @click="copyCreatedLink"
+                >
+                  <v-icon start icon="fa-solid fa-copy" size="x-small"></v-icon>
+                  {{ linkCopied ? 'Copied' : 'Copy link' }}
+                </v-btn>
+              </div>
+            </v-alert>
           </template>
         </v-card>
       </v-col>
@@ -140,6 +173,9 @@ export default {
   data() {
     return {
       inviteForm: { email: '', valid: false, loading: false },
+      // One-time copy-link state — set from the create response only.
+      createdLink: null,
+      linkCopied: false,
       inviteHeaders: [
         { text: 'Email', value: 'email', kind: 'email' },
         { text: 'Status', value: 'status', kind: 'slot', slotName: 'status' },
@@ -218,14 +254,17 @@ export default {
       return deriveInviteStatus(item);
     },
     /**
-     * @desc Submit a new invitation, then refresh the list and reset the form.
+     * @desc Submit a new invitation, surface the one-time signup link from the
+     * create response (the list strips tokens), then refresh and reset the form.
      * @returns {Promise<void>}
      */
     async submitInvite() {
       if (this.inviteForm.valid !== true) return;
       this.inviteForm.loading = true;
       try {
-        await useInvitationsStore().createInvitation(this.inviteForm.email);
+        const created = await useInvitationsStore().createInvitation(this.inviteForm.email);
+        this.createdLink = this.signupLink(created?.token);
+        this.linkCopied = false;
         this.inviteForm.email = '';
         this.$refs.inviteForm?.resetValidation?.();
         await this.fetchInvitations();
@@ -235,6 +274,28 @@ export default {
         this.inviteForm.loading = false;
       }
     },
+    /**
+     * @desc Build the one-time signup link for a freshly created invitation.
+     * @param {string|undefined} token - invitation token from the create response
+     * @returns {string|null} the absolute signup link, or null without a token
+     */
+    signupLink(token) {
+      if (!token) return null;
+      const base = (this.config.app?.url || window.location.origin).replace(/\/+$/, '');
+      return `${base}/signup?inviteToken=${encodeURIComponent(token)}`;
+    },
+    /**
+     * @desc Copy the one-time signup link — local 'Copy link' → 'Copied' flip.
+     * @returns {Promise<void>}
+     */
+    async copyCreatedLink() {
+      try {
+        await navigator.clipboard.writeText(this.createdLink);
+        this.linkCopied = true;
+      } catch {
+        // Clipboard unavailable: the link stays visible for manual selection.
+      }
+    },
     /**
      * @desc Clear the invitations store error banner.
      * @returns {void}
diff --git a/src/modules/invitations/views/invitations.admin.view.vue b/src/modules/invitations/views/invitations.admin.view.vue
index acb830d79..8e24e5c1e 100644
--- a/src/modules/invitations/views/invitations.admin.view.vue
+++ b/src/modules/invitations/views/invitations.admin.view.vue
@@ -39,6 +39,17 @@
             {{ item.invitedBy?.email || '—' }}
           </template>
           <template #actions="{ item }">
+            <v-btn
+              icon="fa-solid fa-paper-plane"
+              size="small"
+              variant="text"
+              color="primary"
+              aria-label="Resend invitation"
+              :loading="resendingId === (item.id || item._id)"
+              :disabled="item.status !== 'pending'"
+              :data-test="`resend-invitation-${item.id || item._id}`"
+              @click="resendInvite(item)"
+            ></v-btn>
             <v-btn
               icon="fa-solid fa-trash"
               size="small"
@@ -52,26 +63,43 @@
       </v-col>
     </v-row>
 
-    <!-- Create invite dialog -->
+    <!-- Create invite dialog — flips to a one-time copy-link panel after create -->
     <v-dialog v-model="createDialog.show" max-width="460">
       <v-card :class="config.vuetify.theme.rounded">
         <v-card-title>Invite a user</v-card-title>
-        <v-card-text>
-          <v-form ref="createForm" v-model="createDialog.valid">
-            <v-text-field
-              v-model="createDialog.email"
-              label="Email address"
-              :rules="[rules.required, rules.mail]"
-              variant="outlined"
-              density="comfortable"
-              hide-details="auto"
-            ></v-text-field>
-          </v-form>
-        </v-card-text>
-        <v-card-actions>
-          <v-btn variant="text" @click="createDialog.show = false">Cancel</v-btn>
-          <v-btn color="primary" variant="flat" :loading="createDialog.loading" :disabled="createDialog.valid !== true" @click="submitInvite">Send invite</v-btn>
-        </v-card-actions>
+        <template v-if="!createDialog.createdLink">
+          <v-card-text>
+            <v-form ref="createForm" v-model="createDialog.valid">
+              <v-text-field
+                v-model="createDialog.email"
+                label="Email address"
+                :rules="[rules.required, rules.mail]"
+                variant="outlined"
+                density="comfortable"
+                hide-details="auto"
+              ></v-text-field>
+            </v-form>
+          </v-card-text>
+          <v-card-actions>
+            <v-btn variant="text" @click="createDialog.show = false">Cancel</v-btn>
+            <v-btn color="primary" variant="flat" :loading="createDialog.loading" :disabled="createDialog.valid !== true" @click="submitInvite">Send invite</v-btn>
+          </v-card-actions>
+        </template>
+        <template v-else>
+          <v-card-text data-test="invite-created-link">
+            <p class="text-body-medium text-medium-emphasis mb-2">
+              Invitation sent. This signup link is shown only once — the list never exposes it again.
+            </p>
+            <code class="text-body-small">{{ createDialog.createdLink }}</code>
+          </v-card-text>
+          <v-card-actions>
+            <v-btn variant="text" @click="createDialog.show = false">Close</v-btn>
+            <v-btn color="primary" variant="tonal" data-test="copy-invite-link" @click="copyCreatedLink">
+              <v-icon start icon="fa-solid fa-copy" size="small"></v-icon>
+              {{ createDialog.copied ? 'Copied' : 'Copy link' }}
+            </v-btn>
+          </v-card-actions>
+        </template>
       </v-card>
     </v-dialog>
 
@@ -122,8 +150,10 @@ export default {
         { text: 'Expires', value: 'expiresAt', kind: 'date', format: 'DD/MM/YY' },
         { text: 'Actions', value: 'actions', kind: 'slot', slotName: 'actions' },
       ],
-      createDialog: { show: false, email: '', valid: false, loading: false },
+      createDialog: { show: false, email: '', valid: false, loading: false, createdLink: null, copied: false },
       deleteDialog: { show: false, id: null, email: '' },
+      // Single-flight guard for the resend icon-button (id in flight, or null).
+      resendingId: null,
       rules: {
         required: (v) => !!v || 'Required',
         mail: (v) => /\S+@\S+\.\S+/.test(v) || 'E-mail must be valid',
@@ -167,18 +197,26 @@ export default {
      * @returns {void}
      */
     openCreate() {
-      this.createDialog = { show: true, email: '', valid: false, loading: false };
+      this.createDialog = { show: true, email: '', valid: false, loading: false, createdLink: null, copied: false };
     },
     /**
-     * @desc Submit a new invitation, then refresh the list and close the dialog.
+     * @desc Submit a new invitation. On success the dialog STAYS OPEN showing
+     * the one-time signup link (the list strips tokens server-side, so the
+     * link can only be built here, from the create response).
      * @returns {Promise<void>}
      */
     async submitInvite() {
       this.createDialog.loading = true;
       try {
-        await useInvitationsStore().createInvitation(this.createDialog.email);
+        const created = await useInvitationsStore().createInvitation(this.createDialog.email);
         await this.fetchInvitations();
-        this.createDialog.show = false;
+        const link = this.signupLink(created?.token);
+        if (link) {
+          this.createDialog.createdLink = link;
+          this.createDialog.copied = false;
+        } else {
+          this.createDialog.show = false;
+        }
       } catch {
         // error is surfaced via the view's own error banner (invitations store)
       } finally {
@@ -207,6 +245,50 @@ export default {
         this.deleteDialog.show = false;
       }
     },
+    /**
+     * @desc Build the one-time signup link for a freshly created invitation.
+     * @param {string|undefined} token - invitation token from the create response
+     * @returns {string|null} the absolute signup link, or null without a token
+     */
+    signupLink(token) {
+      if (!token) return null;
+      const base = (this.config.app?.url || window.location.origin).replace(/\/+$/, '');
+      return `${base}/signup?inviteToken=${encodeURIComponent(token)}`;
+    },
+    /**
+     * @desc Copy the one-time signup link. Feedback is a local label flip
+     * ('Copy link' → 'Copied') — the global snackbar is interceptor-only and
+     * a clipboard write is not an HTTP call.
+     * @returns {Promise<void>}
+     */
+    async copyCreatedLink() {
+      try {
+        await navigator.clipboard.writeText(this.createDialog.createdLink);
+        this.createDialog.copied = true;
+      } catch {
+        // Clipboard unavailable (permissions / insecure context): the link
+        // stays visible above for manual selection.
+      }
+    },
+    /**
+     * @desc Re-send the invitation email (single global in-flight guard — only
+     * one resend at a time across all rows). The POST response toasts via the
+     * axios interceptor; errors land in the banner.
+     * @param {Object} item - invitation row
+     * @returns {Promise<void>}
+     */
+    async resendInvite(item) {
+      const id = item.id || item._id;
+      if (!id || this.resendingId) return;
+      this.resendingId = id;
+      try {
+        await useInvitationsStore().resendInvitation(id);
+      } catch {
+        // error is surfaced via the view's own error banner (invitations store)
+      } finally {
+        this.resendingId = null;
+      }
+    },
     /**
      * @desc Clear the invitations store error banner.
      * @returns {void}