BL-050 Shipped

Registration "couldn't set passwords"

config.allow_unconfirmed_access_for was commented out in config/initializers/devise.rb, defaulting to 0 days. New users registered fine (with valid encrypted_password), but Devise blocked sign-in until they clicked the confirmation email. From the player seat this looked like “I can’t set my password” — the form said registered, the next sign-in failed. Compounded yesterday by SendGrid CI key drift (BL-043) preventing confirmation emails from being delivered at registration time. Fix: set config.allow_unconfirmed_access_for = 3.days — players get a 3-day grace window to use the app while their confirmation email is delivered/found/clicked. Sentinel investigation confirmed root cause; system test added at test/system/user_registration_test.rb covering the full flow (registration → confirmation token → confirm → sign in) plus the honeypot trap (a real risk for legitimate users whose password manager auto-fills the hidden website field).