feat(auth): add email verification on signup

[PierreBrisorgueil]

Description

Add email verification on signup — only when email sending is configured.

Details

• After signup, if mail config is present (mailer.from, SMTP settings), send a verification email with a signed token
• New fields on User model: emailVerified (boolean, default false), emailVerificationToken, emailVerificationExpires
• POST /api/auth/verify-email/:token — verifies the token, sets emailVerified = true
• Resend endpoint: POST /api/auth/resend-verification

⚠️ Critical: conditional on mail config

// If no mail config → skip verification, set emailVerified = true by default
if (!config.mailer || !config.mailer.from) {
  user.emailVerified = true; // auto-verify, don't block
}

• In dev/test without SMTP: users are auto-verified, nothing blocks
• In prod with SMTP: users must verify their email
• This MUST NOT break local dev or CI tests

Acceptance criteria

• Verification email sent only when mail is configured
• Auto-verified when no mail config (dev/test safe)
• Verify endpoint works with signed token
• Resend verification endpoint
• Tests pass without SMTP config