Phase 1 | Priority: P0 | Status: Not Started | Covers: FR-007

Objective

Add MVP fraud prevention: disposable email domain blocklist and per-user rate limiting on referral code generation.

Acceptance Criteria

• Blocklist of disposable email domains (configurable, loaded from config/DB)
• Sign-ups from blocklisted domains don't trigger referral rewards
• Rate limiter: max 10 referral code generation requests per user per day
• Returns 429 with clear error message when rate limited
• Blocklist is updatable without deploy (config or DB-backed)

Dependencies

Depends on: referral code generation endpoint. Blocks: nothing (can be added in parallel).