feat: add registration abuse prevention

- Silently block verification code for IPs with 2+ registered accounts
- Silently block Gmail alias emails (containing + or . in local part)
- Add CountByRegistrationIP to UserRepository interface
- Pass client IP to SendVerifyCodeAsync for abuse detection

Both checks return fake success to prevent enumeration attacks.

backend/internal/service/content_moderation_test.go

@@ -231,6 +231,10 @@ func (r *contentModerationTestUserRepo) DisableTotp(ctx context.Context, userID
 	panic("unexpected DisableTotp call")
 }
 
+func (r *contentModerationTestUserRepo) CountByRegistrationIP(ctx context.Context, ip string) (int, error) {
+	return 0, nil
+}
+
 type contentModerationTestAuthCacheInvalidator struct {
 	userIDs []int64
 }