feat: anonymous self-signup with email-domain allow-list

[martinydeAI]

Tracked under ADR 004 (#60).

Add the anonymous self-signup endpoint that lets a representative of
an approved organisation create their own pending account.

Scope

• New public route /register (no security required).
• Twig form: email, password, password confirmation, name.
• E-mail domain must match an entry in the REGISTRATION_ALLOWED_EMAIL_DOMAINS
  env var (comma-separated). Submissions with an unknown domain are
  rejected with a localised error on the form.
• On success, create a User with status = UserStatus::Pending
  (entity work tracked in feat: add User entity with active / domainManager / name fields #45 — coordinate so this lands after the
  status enum is in place).
• Show a "thanks, waiting for approval" page (or redirect to /login
  with a flash) — the user cannot sign in yet because the
  UserCheckerInterface from the sibling issue blocks pending logins.
• Smoke + unit tests covering:
  • allow-listed domain → user created with Pending status
  • non-allow-listed domain → rejected with form error
  • password mismatch / empty password rejected

Out of scope

• Email verification — separate decision if/when we need it.
• CAPTCHA / rate limiting — defer; flag if abuse becomes an issue.

Related

• ADR 004 (Decide on user registration, approval, and account-state model #60).
• feat: add User entity with active / domainManager / name fields #45 (User entity — must carry the status enum before this lands).
• User login #2 (login flow this hands off to).