feat: enterprise MFA with TOTP, email codes, backup codes, and trusted devices

Three verification methods (TOTP authenticator, email code, backup codes),
trusted device management with 30-day expiry, role-based enforcement for
super_admin and org_admin, admin reset capability, and full test coverage
(46 tests). Modifies login flow to support MFA challenge/response with
temporary session tokens stored in cache.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/Auth/TrustedDeviceController.php

@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers\Api\V1\Auth;
+
+use App\Http\Controllers\Controller;
+use App\Http\Resources\Api\V1\TrustedDeviceResource;
+use App\Services\MfaService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+final class TrustedDeviceController extends Controller
+{
+    public function __construct(
+        private MfaService $mfaService,
+    ) {}
+
+    public function index(Request $request): JsonResponse
+    {
+        $devices = $this->mfaService->getTrustedDevices($request->user());
+
+        return $this->success(TrustedDeviceResource::collection($devices));
+    }
+
+    public function destroy(Request $request, string $device): JsonResponse
+    {
+        $this->mfaService->revokeDevice($request->user(), $device);
+
+        return response()->json(null, 204);
+    }
+
+    public function destroyAll(Request $request): JsonResponse
+    {
+        $this->mfaService->revokeAllDevices($request->user());
+
+        return response()->json(null, 204);
+    }
+}