feat: support time_zone for user registration context

gateway/README.md

@@ -109,11 +109,14 @@ The public REST listener read budgets are configured by:
 The public auth JSON contract uses a challenge-token flow:
 
 - `send-email-code` accepts `email` and returns `challenge_id`;
-- `confirm-email-code` accepts `challenge_id`, `code`, and
-  `client_public_key`, then returns `device_session_id`.
+- `confirm-email-code` accepts `challenge_id`, `code`,
+  `client_public_key`, and `time_zone`, then returns
+  `device_session_id`.
 
 `client_public_key` is the standard base64-encoded raw 32-byte Ed25519 public
 key for the device session being created.
+`time_zone` is the client-selected IANA time zone name forwarded unchanged to
+`Auth / Session Service`.
 
 These routes remain unauthenticated and delegate only through an injected
 `AuthServiceClient`.
@@ -950,7 +953,7 @@ Auth / Session Service.
 The gateway contract is:
 
 - `SendEmailCode(email) -> challenge_id`
-- `ConfirmEmailCode(challenge_id, code, client_public_key) -> device_session_id`
+- `ConfirmEmailCode(challenge_id, code, client_public_key, time_zone) -> device_session_id`
 
 When no concrete implementation is wired, the gateway keeps the public routes
 available and returns a stable `503 service_unavailable` response instead of