feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices

Three verification methods (TOTP authenticator, email code, backup codes),
trusted device management with 30-day expiry, role-based enforcement for
super_admin and org_admin, admin reset capability, and full test coverage
(46 tests). Modifies login flow to support MFA challenge/response with
temporary session tokens stored in cache.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Enums/MfaMethod.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Enums;
+
+enum MfaMethod: string
+{
+    case TOTP = 'totp';
+    case EMAIL = 'email';
+    case BACKUP_CODE = 'backup_code';
+
+    public function label(): string
+    {
+        return match ($this) {
+            self::TOTP => 'Authenticator app',
+            self::EMAIL => 'E-mailcode',
+            self::BACKUP_CODE => 'Backup code',
+        };
+    }
+}