feat(domains): implement registrar gateway layer with Gandi + ROTLD (#93)

[b3lz3but]

Summary

Implements the Better tier from #93 — replaces the stubbed DomainRegistrarGateway with a production-ready gateway abstraction layer for domain registrar API integrations.

What changed

New gateway package (apps/domains/gateways/):

• errors.py — RegistrarErrorCode enum + typed exception hierarchy (RegistrarAuthError, RegistrarConflictError, RegistrarNotFoundError, RegistrarRateLimitError, RegistrarTransientError)
• base.py — BaseRegistrarGateway ABC with:
  • Circuit breaker (Django cache, 5 failures = trip, 5 min reset)
  • Idempotency keys for registration/renewal (1 hour TTL)
  • Retry with exponential backoff (3 attempts, 0.5s/1s/2s) for transient errors
  • Audit logging via AuditService.log_simple_event for every API call
  • SSRF-safe HTTP via dedicated OutboundPolicy per registrar
  • Shared HTTP error-to-exception mapping
  • RegistrarGatewayFactory (follows PaymentGatewayFactory pattern)
• gandi.py — GandiGateway for international domains (.com, .net, .org, .eu) via Gandi REST API
• rotld.py — ROTLDGateway for Romanian .ro domains via ROTLD REST API v2.0, with CUI/CNP registrant mapping

Service layer migration (services.py):

• DomainLifecycleService methods now return Result[T, str] instead of tuple[bool, T | str]:
  • create_domain_registration() → Result[Domain, str]
  • process_domain_renewal() → Result[str, str]
  • update_domain_expiration() → Result[bool, str]
• DomainRegistrarGateway is now a backward-compatible facade delegating to the gateway factory
• All callers updated: views.py, DomainOrderService, tests

Architecture decisions

• Follows billing gateway pattern (ABC + factory) and cloud gateway pattern (Result[T, E])
• Uses safe_request() + OutboundPolicy per registrar (matching Virtualmin gateway)
• Error hierarchy modeled after VirtualminAPIError
• Err.retriable flag used for transient errors (rate limits, 5xx, network)

Better tier checklist (all complete)

• Domain-specific error types with RegistrarErrorCode enum
• Circuit breaker per registrar (Django cache-backed)
• Idempotency keys for registration/renewal
• Outbound HTTP security — dedicated OutboundPolicy per registrar
• Webhook signature verification per registrar (HMAC-SHA256)
• Audit logging for every registrar API call
• Result pattern migration — DomainLifecycleService returns Result[T, str]

Test plan

• 25 new tests in test_registrar_gateways.py — all passing
  • Error types carry correct codes and messages
  • Factory creates correct gateway for gandi/rotld, raises on unknown
  • Gandi: registration (success, auth fail, conflict, rate limit), availability (available, unavailable)
  • ROTLD: registration (success, server error), registrant mapping (company with CUI, individual with CNP)
  • Circuit breaker: blocks at threshold, allows below
  • Idempotency: cached result returned without API call
  • Facade: delegates to factory, returns failure for unknown registrar
• Existing domain tests unaffected (10/10 still pass)
• Ruff lint + format clean
• All 16 pre-commit hooks pass
• Manual: verify Gandi sandbox registration (blocked on API credentials — Implement domain registrar API integrations #93 dependency)
• Manual: verify ROTLD test environment (blocked on accreditation — Implement domain registrar API integrations #93 dependency)

Diff stats

• 5 new files (gateway package + tests): ~1,500 LOC
• 4 modified files (services, views, existing tests): ~250 LOC changed

Closes #93

🤖 Generated with Claude Code

[b3lz3but]

@mostlyvirtual ready for review 🙏