feat: db-backed admin bans with login + registration enforcement (#8)

[rafiki270]

Closes #8 — replaces the non-functional ban stub (hardcoded emptyBans, no model, no endpoints, no enforcement) with a real, per-tenant deny list. The brief was silent on bans, so scope was confirmed with the owner: full per-tenant.

Data

• New bans table + BanType enum (email | pattern | ip | user). Scoped to a client domain by default, or a specific org_id / team_id within it (FKs cascade). Scope is derived from which id is set.
• Admin-managed like client_domains: granted to the BYPASS-RLS uoa_admin role, REVOKEd from uoa_app, with a deny-all RLS policy. Login enforcement runs before any tenant context, so it uses the admin client.
• Hand-written migration matches the Prisma model (verified with prisma migrate diff — no bans drift) and applies cleanly into a fresh schema.

Matching (ban-policy.service.ts)

• email: exact, case-insensitive · pattern: shell-glob over the email (*,?) — never a raw regex, so a ban can't become a ReDoS vector · ip: exact or IPv4 CIDR against request.ip · user: exact userId.

Enforcement — ban overrides allow; SUPERUSER on the login domain bypasses (mirrors the allow-list)

• Login: finalizeAuthenticatedUser checks domain/org/team scopes after the allow-list. request.ip threaded through all six call sites (login, social callback, email link, verify-email, 2FA verify + enroll). Fails closed with ACCESS_DENIED (generic to the user).
• Registration / social new-user: domain-scope email/pattern/ip checked before any user row is created. Registration stays silent + timing-equalised (no enumeration); social returns blocked. Existing social users are caught by the login chokepoint.

Admin

• GET/POST /internal/admin/bans + DELETE /internal/admin/bans/:id (superuser only). getAdminSettings now returns the live list grouped by type instead of emptyBans. /api machine schema updated.
• Admin React Settings page: the Add dialog and Remove buttons are wired to the new endpoints (create + delete, invalidating the settings query). Domain-scope from the UI; org/team scope available via the API.

Tests

• ban-policy.service.test.ts (10): matcher per type, multi-scope, SUPERUSER bypass, IP/CIDR in/out, no-IP-supplied, registration boolean.
• ban-enforcement.test.ts (DB-backed, skips without DATABASE_URL): domain-scope email ban blocks login + registration and lifts on delete; org-scope ban hits only the org member, not the owner; cross-tenant scope rejected. Validated against a real Postgres.
• pnpm typecheck + lint green for @uoa/api and @uoa/admin; Admin build green. Pre-existing auth-entrypoint* / internal-admin-auth suite failures are environmental (missing Auth/dist/Admin/dist) and unchanged.

Brief documents the feature (Docs/brief.md → "2026-06 Admin Bans").

Note: stacks conceptually alongside #14 (config/validate + org schema) but is independent — no file overlap.

🤖 Generated with Claude Code