New

• api: add new-account burst circuit-breaker

Fixed

• auth: invalidate JWT sessions on password reset/change #541
• gdpr: make account hard-delete all-or-nothing in a transaction #542
• k8s: move ollama to a dedicated namespace so the LLM can schedule
• k8s: stop release tag-bump from clobbering the ollama image
• api: keep scam classification alive past the sync timeout (AUDIT L9)
• api: ramp send-velocity limits by account age and fix off-by-one
• auth: prevent email verification from lifting an abuse suspension