feat(auth): complete registration anti-spam and quota hardening

config/disposable_email_domains.php

@@ -0,0 +1,11 @@
+<?php
+
+return [
+    'domains' => [
+        'mailinator.com',
+        '10minutemail.com',
+        'guerrillamail.com',
+        'tempmail.com',
+        'yopmail.com',
+    ],
+];

config/registration.php

@@ -0,0 +1,16 @@
+<?php
+
+return [
+    'ip_per_minute_limit' => (int) env('REGISTRATION_IP_PER_MINUTE_LIMIT', 3),
+    'ip_per_day_limit' => (int) env('REGISTRATION_IP_PER_DAY_LIMIT', 20),
+    'email_per_minute_limit' => (int) env('REGISTRATION_EMAIL_PER_MINUTE_LIMIT', 6),
+    'email_cooldown_minutes' => (int) env('REGISTRATION_EMAIL_COOLDOWN_MINUTES', 30),
+    'verify_token_ttl_hours' => (int) env('REGISTRATION_VERIFY_TOKEN_TTL_HOURS', 24),
+    'enable_turnstile' => (bool) env('REGISTRATION_ENABLE_TURNSTILE', true),
+    'disposable_domains_enabled' => (bool) env('REGISTRATION_DISPOSABLE_DOMAINS_ENABLED', true),
+    'turnstile_suspicious_attempts' => (int) env('REGISTRATION_TURNSTILE_SUSPICIOUS_ATTEMPTS', 2),
+    'turnstile_attempt_window_minutes' => (int) env('REGISTRATION_TURNSTILE_ATTEMPT_WINDOW_MINUTES', 30),
+    'email_global_send_per_minute' => (int) env('REGISTRATION_EMAIL_GLOBAL_SEND_PER_MINUTE', 30),
+    'monthly_email_limit' => (int) env('REGISTRATION_MONTHLY_EMAIL_LIMIT', 10000),
+    'generic_success_message' => 'If that email is valid, we sent a verification link.',
+];

config/services.php

@@ -47,4 +47,11 @@ return [
         'timeout' => (int) env('RECAPTCHA_TIMEOUT', 5),
     ],
 
+    'turnstile' => [
+        'site_key' => env('TURNSTILE_SITE_KEY'),
+        'secret_key' => env('TURNSTILE_SECRET_KEY'),
+        'verify_url' => env('TURNSTILE_VERIFY_URL', 'https://challenges.cloudflare.com/turnstile/v0/siteverify'),
+        'timeout' => (int) env('TURNSTILE_TIMEOUT', 5),
+    ],
+
 ];