sec: server-side email domain check + IP block on violations

Only @tutlot.com emails allowed for registration (checked server-side,
invisible to frontend inspect). Wrong domain → scary message + IP
violation tracked. 5 violations → IP permanently blocked from login
and registration. Block screen with OK button on frontend.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

frontend/style.css

@@ -230,3 +230,12 @@ body {
 .reg-status[hidden]    { display: none; }
 .reg-status--error     { color: #f87171; }
 .reg-status--success   { color: #4ade80; }
+
+.block-message {
+  color: #f87171;
+  font-size: 16px;
+  text-align: center;
+  line-height: 1.6;
+  padding: 20px;
+  max-width: 320px;
+}