Tech debt — converge daemon enrollment-code onto /v1/verification-codes

[pedromvgomes]

Summary

Tech debt: converge the daemon enrollment-code request onto the unified POST /v1/verification-codes resource, and fold the two code-request paths into one.

Context

PR3 of the My Account initiative introduces the RESTful POST /v1/verification-codes {email, purpose} resource and migrates the web flows (signup + password reset) onto it, superseding POST /v1/auth/password/reset-code and the web-signup use of POST /v1/enrollment-codes.

To keep that initiative's blast radius bounded (and avoid a lock-step daemon release), the daemon enrollment path was deliberately left on POST /v1/enrollment-codes. That leaves two endpoints that both "send a one-time email-proof code," which is the inconsistency to clean up here.

Scope

• Add purpose: "enrollment" (or equivalent) to POST /v1/verification-codes and route daemon enrollment-code requests through it.
• Update the daemon client to call /v1/verification-codes (coordinated daemon release).
• Remove POST /v1/enrollment-codes once no client depends on it (or keep a deprecation shim for one release).
• Ensure purpose binding still prevents cross-purpose replay (an enrollment code can't reset a password, etc.).

Acceptance criteria

• A single code-request resource (/v1/verification-codes) serves signup, password-reset, and enrollment.
• Daemon client migrated; /v1/enrollment-codes removed or deprecated with a removal date.
• purpose binding covers all three flows.

Notes

• Requires coordination with the daemon repo (client change). Do not start before PR3 has shipped /v1/verification-codes.
• Part of the My Account initiative follow-up.

[pedromvgomes]

🗺️ My Account initiative — issue map

Modular-monolith effort: build the My Account SPA wired to a provider-agnostic billing split. Sequence:

1. PR1 — Split billing/subscription into extraction-ready crates + inter-crate ports #16 — Split billing/subscription into extraction-ready crates + ports (lands first; behavior-preserving)
2. PR2 — Provider-proxied billing read endpoints (payment-method, invoices) #17 — Provider-proxied billing read endpoints (blocked by PR1 — Split billing/subscription into extraction-ready crates + inter-crate ports #16)
3. PR3 — Account/security endpoints + RESTful verification-codes #18 — Account/security endpoints + RESTful verification-codes
4. PR4 — My Account SPA (source/account-dashboard-app) #19 — My Account SPA (parallel via MSW; refines WS-H: My Account SPA (site/) + account API #1)
5. Tech debt — converge daemon enrollment-code onto /v1/verification-codes #20 — Tech debt: converge daemon enrollment-code (after PR3 — Account/security endpoints + RESTful verification-codes #18)

Design prototype: source/account-dashboard-app/design/ (committed on chore/account-initiative-issues).