sec: server-side email domain check + IP block on violations

Only @tutlot.com emails allowed for registration (checked server-side,
invisible to frontend inspect). Wrong domain → scary message + IP
violation tracked. 5 violations → IP permanently blocked from login
and registration. Block screen with OK button on frontend.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

tests/test_biz_001.py

@@ -67,7 +67,7 @@ async def _reject(reg_id: int) -> None:
 async def test_login_by_login_field_returns_200_with_token():
     """Approved user can login using their login field → 200 + token."""
     async with make_app_client() as client:
-        reg_id = await _register_auth(client, "alice@example.com", "alice", "password123")
+        reg_id = await _register_auth(client, "alice@tutlot.com", "alice", "password123")
         await _approve(reg_id)
         resp = await client.post(
             "/api/auth/login",
@@ -83,7 +83,7 @@ async def test_login_by_login_field_returns_200_with_token():
 async def test_login_by_login_field_token_is_non_empty_string():
     """Token returned for approved login user is a non-empty string."""
     async with make_app_client() as client:
-        reg_id = await _register_auth(client, "alice2@example.com", "alice2", "password123")
+        reg_id = await _register_auth(client, "alice2@tutlot.com", "alice2", "password123")
         await _approve(reg_id)
         resp = await client.post(
             "/api/auth/login",
@@ -102,11 +102,11 @@ async def test_login_by_login_field_token_is_non_empty_string():
 async def test_login_by_email_field_returns_200_with_token():
     """Approved user can login using their email field → 200 + token."""
     async with make_app_client() as client:
-        reg_id = await _register_auth(client, "bob@example.com", "bobuser", "securepass1")
+        reg_id = await _register_auth(client, "bob@tutlot.com", "bobuser", "securepass1")
         await _approve(reg_id)
         resp = await client.post(
             "/api/auth/login",
-            json={"login_or_email": "bob@example.com", "password": "securepass1"},
+            json={"login_or_email": "bob@tutlot.com", "password": "securepass1"},
         )
     assert resp.status_code == 200
     data = resp.json()
@@ -118,11 +118,11 @@ async def test_login_by_email_field_returns_200_with_token():
 async def test_login_by_email_field_token_login_matches_registration():
     """Token response login field matches the login set during registration."""
     async with make_app_client() as client:
-        reg_id = await _register_auth(client, "bob2@example.com", "bob2user", "securepass1")
+        reg_id = await _register_auth(client, "bob2@tutlot.com", "bob2user", "securepass1")
         await _approve(reg_id)
         resp = await client.post(
             "/api/auth/login",
-            json={"login_or_email": "bob2@example.com", "password": "securepass1"},
+            json={"login_or_email": "bob2@tutlot.com", "password": "securepass1"},
         )
     assert resp.json()["login"] == "bob2user"
 
@@ -136,7 +136,7 @@ async def test_login_by_email_field_token_login_matches_registration():
 async def test_wrong_password_returns_401():
     """Wrong password returns 401 with generic message (no detail about which field failed)."""
     async with make_app_client() as client:
-        reg_id = await _register_auth(client, "carol@example.com", "carol", "correctpass1")
+        reg_id = await _register_auth(client, "carol@tutlot.com", "carol", "correctpass1")
         await _approve(reg_id)
         resp = await client.post(
             "/api/auth/login",
@@ -167,7 +167,7 @@ async def test_nonexistent_user_returns_401_same_message_as_wrong_password():
 async def test_pending_user_login_returns_403():
     """User with pending status gets 403."""
     async with make_app_client() as client:
-        await _register_auth(client, "dave@example.com", "dave", "password123")
+        await _register_auth(client, "dave@tutlot.com", "dave", "password123")
         # Status is 'pending' by default — no approval step
         resp = await client.post(
             "/api/auth/login",
@@ -180,7 +180,7 @@ async def test_pending_user_login_returns_403():
 async def test_pending_user_login_403_message_is_human_readable():
     """403 message for pending user contains readable Russian text about the waiting status."""
     async with make_app_client() as client:
-        await _register_auth(client, "dave2@example.com", "dave2", "password123")
+        await _register_auth(client, "dave2@tutlot.com", "dave2", "password123")
         resp = await client.post(
             "/api/auth/login",
             json={"login_or_email": "dave2", "password": "password123"},
@@ -197,7 +197,7 @@ async def test_pending_user_login_403_message_is_human_readable():
 async def test_rejected_user_login_returns_403():
     """User with rejected status gets 403."""
     async with make_app_client() as client:
-        reg_id = await _register_auth(client, "eve@example.com", "evegirl", "password123")
+        reg_id = await _register_auth(client, "eve@tutlot.com", "evegirl", "password123")
         await _reject(reg_id)
         resp = await client.post(
             "/api/auth/login",
@@ -210,7 +210,7 @@ async def test_rejected_user_login_returns_403():
 async def test_rejected_user_login_403_message_is_human_readable():
     """403 message for rejected user contains readable Russian text about rejection."""
     async with make_app_client() as client:
-        reg_id = await _register_auth(client, "eve2@example.com", "eve2girl", "password123")
+        reg_id = await _register_auth(client, "eve2@tutlot.com", "eve2girl", "password123")
         await _reject(reg_id)
         resp = await client.post(
             "/api/auth/login",