fix

PR_REGISTRATION_ANTISPAM.md

@@ -0,0 +1,43 @@
+# PR Title
+feat(auth): complete registration anti-spam + email quota protection
+
+## Summary
+Implements the registration anti-spam and quota hardening spec end-to-end for the email-first onboarding flow.
+
+### What changed
+- Added registration anti-spam config and disposable domain config.
+- Added progressive Turnstile verification service and wiring.
+- Added registration rate limiters and route middleware (`register-ip`, `register-ip-daily`).
+- Implemented per-email cooldown and generic anti-enumeration responses.
+- Added queued verification sending job with global throttle + quota circuit breaker.
+- Added quota and disposable-domain services.
+- Hardened verification tokens (hashed storage lookup, expiry, one-time use).
+- Added/updated migrations:
+  - cooldown fields on `users`
+  - `email_send_events`
+  - `system_email_quota`
+  - token column hardening (`token` -> `token_hash`)
+  - rollout safety migration to ensure `user_verification_tokens` table exists
+- Added models: `EmailSendEvent`, `SystemEmailQuota`.
+- Added/updated auth registration tests and runbook docs.
+
+## Verification
+- `php artisan migrate` ✅
+- `php artisan test` ✅
+- Focused token hardening tests ✅ (`RegistrationTokenVerificationTest`)
+
+## Notes
+- Current local branch: `feat/registration-antispam-complete`
+- Local commit: `b239af9`
+- Push/PR creation is currently blocked because this repo has no configured git remote and `gh` CLI is not installed.
+
+## Commands to finish PR after remote setup
+```bash
+git remote add origin <your-repo-url>
+git push -u origin feat/registration-antispam-complete
+```
+
+Then open PR in your Git host UI using:
+- Base: `main` (or your default branch)
+- Compare: `feat/registration-antispam-complete`
+- Body: copy this file