bert.hausmans
eaed138e38
Registration now rolls back the just-created user (token cascades) and returns a clear 502 EMAIL_SEND_FAILED if the verification email can't be sent, instead of a 500 leaving an unverifiable orphan account. resend-verification and forgot-password swallow mail failures (log + still return generic 200) so a broken mailer can't break the flow or leak account existence. Adds regression tests.