feat: email change should verify new email before applying

[eugenioenko]

Summary

When a user changes their email via the account UI, the new email should be verified before it replaces the old one. Currently, email changes take effect immediately without confirming ownership of the new address.

Current behavior

1. User changes email in account UI → email updates immediately
2. is_email_verified stays true from the old email (bug — being fixed separately in security: account-ui passkey and TOTP setup should require password confirmation #180)
3. No verification email is sent to the new address
4. If RequireEmailVerification is enabled, the user gets blocked on next login until they verify — but the old email is already gone

Proposed behavior

1. User enters new email in account UI
2. A verification email is sent to the new address
3. The old email remains active until the new one is confirmed
4. Only after clicking the verification link does the email actually change
5. Account UI should show the pending email change state (e.g., "Verification email sent to new@example.com")

Why

• Prevents email typos from locking users out of their accounts
• Confirms ownership of the new email address before applying the change
• Follows the same pattern as most identity providers (Google, GitHub, etc.)
• The account UI should also be able to trigger email verification (resend link) independently of the login flow

Notes

• Related to security: account-ui passkey and TOTP setup should require password confirmation #180 (sensitive actions should require password confirmation)
• The immediate fix of resetting email_verified = false on email change will land first
• This is the proper UX improvement on top of that