sec: server-side email domain check + IP block on violations

Only @tutlot.com emails allowed for registration (checked server-side,
invisible to frontend inspect). Wrong domain → scary message + IP
violation tracked. 5 violations → IP permanently blocked from login
and registration. Block screen with OK button on frontend.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/app.js

@@ -423,12 +423,29 @@ async function _handleSignUp() {
         } catch (_) {}
       }
     }
-    _setRegStatus(msg, 'error');
-    btn.disabled = false;
-    btn.textContent = originalText;
+    if (err && err.status === 403 && msg !== 'Ошибка. Попробуйте ещё раз.') {
+      _showBlockScreen(msg);
+    } else {
+      _setRegStatus(msg, 'error');
+      btn.disabled = false;
+      btn.textContent = originalText;
+    }
   }
 }
 
+function _showBlockScreen(msg) {
+  const screen = document.getElementById('screen-onboarding');
+  if (!screen) return;
+  screen.innerHTML =
+    '<div class="screen-content">' +
+    '<p class="block-message">' + msg + '</p>' +
+    '<button type="button" class="btn-confirm" id="btn-block-ok">OK</button>' +
+    '</div>';
+  document.getElementById('btn-block-ok').addEventListener('click', () => {
+    location.reload();
+  });
+}
+
 // ========== Init ==========
 
 function _init() {