feat(email): require verified approval email

Backfill approved legacy users with verified emails and replace the old unverified-email warning setting with a single approval email policy.

tests/test_email_notification_settings.py

@@ -75,7 +75,7 @@ def test_email_settings_update_preserves_and_clears_password(monkeypatch) -> Non
     assert updated.notify_token_expiring is False
     assert updated.notify_check_in_success is False
     assert updated.require_admin_approval_for_registration is True
-    assert updated.warn_unverified_email_before_approval is True
+    assert updated.require_verified_email_for_approval is True
 
     EmailSettingsService.update_settings(
         session,
@@ -87,7 +87,7 @@ def test_email_settings_update_preserves_and_clears_password(monkeypatch) -> Non
             notify_token_expiring=False,
             notify_check_in_success=False,
             require_admin_approval_for_registration=False,
-            warn_unverified_email_before_approval=False,
+            require_verified_email_for_approval=False,
             clear_smtp_sender_password=True,
         ),
     )
@@ -96,7 +96,7 @@ def test_email_settings_update_preserves_and_clears_password(monkeypatch) -> Non
     assert cleared.smtp_sender_password in ("", None)
     assert cleared.has_smtp_sender_password is False
     assert cleared.require_admin_approval_for_registration is False
-    assert cleared.warn_unverified_email_before_approval is False
+    assert cleared.require_verified_email_for_approval is False
     session.close()
     engine.dispose()
 
@@ -209,6 +209,6 @@ def test_registration_approval_policy_defaults_enabled() -> None:
     snapshot = EmailSettingsService.get_snapshot(session)
 
     assert snapshot.require_admin_approval_for_registration is True
-    assert snapshot.warn_unverified_email_before_approval is True
+    assert snapshot.require_verified_email_for_approval is True
     session.close()
     engine.dispose()