chore: document auth fixes

docs/risks.md

@@ -8,7 +8,7 @@ This file tracks known gaps and risks to address in future iterations.
 - Authentica OTP provider is implemented (SMS + WhatsApp via Authentica OTP).
 - Social login is a placeholder.
 - `USERNAME_FIELD` is now `"phone_number"`; `REQUIRED_FIELDS = []`; `create_superuser` accepts `phone_number`. Admin and `createsuperuser` work correctly for phone-only users.
-- API currently exposes mixed auth paths (`/accounts/register/`, `/accounts/token/`, and phone OTP login), creating unclear source-of-truth for identity/auth policy.
+- Password token obtain endpoint (`/api/auth/token/`) is deprecated (`410 Gone`); phone OTP flow is the login source of truth.
 - OTP purpose isolation is enforced at verification endpoint boundaries (`/otp/verify` accepts only `verify`, `/phone/verify` accepts only `auth`).
 - Django admin user configuration remains email-centric (ordering/add form defaults), increasing operational friction for phone-only accounts.
 - Multiple serializers/model `__str__` paths in non-auth apps still fallback to `user.email`; phone-only users may get poor display/audit clarity.
@@ -18,7 +18,7 @@ This file tracks known gaps and risks to address in future iterations.
 - Decide user lifecycle for phone auth (create user before OTP verify vs provisional/pre-user state).
 - Expand abuse prevention beyond per-phone cooldown (IP throttling, device fingerprint, risk signals).
 - Define OAuth account-linking policy (phone/email conflicts, merge rules, trust source).
-- Add explicit tests for phone-first invariants (null-phone rejection if required, token endpoint behavior, OTP purpose isolation, verified-phone guards).
+- Add explicit tests for remaining phone-first invariants (verified-phone guards and any legacy-path regressions).
 
 ## Booking Integrity
 - Availability checks and overlap prevention are now enforced for staff bookings.