sec: server-side email domain check + IP block on violations

Only @tutlot.com emails allowed for registration (checked server-side,
invisible to frontend inspect). Wrong domain → scary message + IP
violation tracked. 5 violations → IP permanently blocked from login
and registration. Block screen with OK button on frontend.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/test_baton_008_frontend.py

@@ -30,7 +30,7 @@ APP_JS = PROJECT_ROOT / "frontend" / "app.js"
 from tests.conftest import make_app_client
 
 _VALID_PAYLOAD = {
-    "email": "frontend_test@example.com",
+    "email": "frontend_test@tutlot.com",
     "login": "frontenduser",
     "password": "strongpassword123",
 }
@@ -417,7 +417,7 @@ async def test_register_duplicate_login_returns_409():
 
             r2 = await client.post(
                 "/api/auth/register",
-                json={**_VALID_PAYLOAD, "email": "another@example.com"},
+                json={**_VALID_PAYLOAD, "email": "another@tutlot.com"},
             )
 
     assert r2.status_code == 409, (