# TODO

## Distributed global cap for phantom users (multi-process safe)

1. Add DB-backed quota as source of truth (`system_quotas` table, row `phantom_users` with `used` and `limit`).
2. Move cap enforcement into one DB transaction:
   - lock quota row with `SELECT ... FOR UPDATE`
   - check `used < limit`
   - create phantom user
   - increment `used`
   - commit (or rollback on failure).
3. Handle same-email races using `UNIQUE(email)`:
   - on duplicate key, do not increment quota
   - return existing user (or unified error response).
4. Add periodic reconciliation job:
   - recalculate phantom count from `users`
   - repair `system_quotas.used` if drift is detected.
5. Move phantom creation rate-limits to shared backend (Redis or DB atomic counters), so all server processes enforce the same limits.
6. Add concurrency tests:
   - multi-process create storm near cap boundary (499/500)
   - duplicate-email storm
   - assert `used <= limit` always holds.