# PR Title
feat(auth): complete registration anti-spam + email quota protection

## Summary
Implements the registration anti-spam and quota hardening spec end-to-end for the email-first onboarding flow.

### What changed
- Added registration anti-spam config and disposable domain config.
- Added progressive Turnstile verification service and wiring.
- Added registration rate limiters and route middleware (`register-ip`, `register-ip-daily`).
- Implemented per-email cooldown and generic anti-enumeration responses.
- Added queued verification sending job with global throttle + quota circuit breaker.
- Added quota and disposable-domain services.
- Hardened verification tokens (hashed storage lookup, expiry, one-time use).
- Added/updated migrations:
  - cooldown fields on `users`
  - `email_send_events`
  - `system_email_quota`
  - token column hardening (`token` -> `token_hash`)
  - rollout safety migration to ensure `user_verification_tokens` table exists
- Added models: `EmailSendEvent`, `SystemEmailQuota`.
- Added/updated auth registration tests and runbook docs.

## Verification
- `php artisan migrate` ✅
- `php artisan test` ✅
- Focused token hardening tests ✅ (`RegistrationTokenVerificationTest`)

## Notes
- Current local branch: `feat/registration-antispam-complete`
- Local commit: `b239af9`
- Push/PR creation is currently blocked because this repo has no configured git remote and `gh` CLI is not installed.

## Commands to finish PR after remote setup
```bash
git remote add origin <your-repo-url>
git push -u origin feat/registration-antispam-complete
```

Then open PR in your Git host UI using:
- Base: `main` (or your default branch)
- Compare: `feat/registration-antispam-complete`
- Body: copy this file