feat: email verification, merchant/store password reset, seed gap fix

- Add EmailVerificationToken and UserPasswordResetToken models with migration
- Add email verification flow: verify-email page route, resend-verification API
- Block login for unverified users (EmailNotVerifiedException in auth_service)
- Add forgot-password/reset-password endpoints for merchant and store auth
- Add "Forgot Password?" links to merchant and store login pages
- Send welcome email with verification link on merchant creation
- Seed email_verification and merchant_password_reset email templates
- Fix db-reset Makefile to run all init-prod seed scripts
- Add UserAuthService to satisfy architecture validation rules
- Add 52 new tests (unit + integration) with full coverage

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

app/modules/core/services/auth_service.py

@@ -18,6 +18,7 @@ from typing import Any
 from sqlalchemy.orm import Session
 
 from app.modules.tenancy.exceptions import (
+    EmailNotVerifiedException,
     InvalidCredentialsException,
     UserNotActiveException,
 )
@@ -59,6 +60,9 @@ class AuthService:
         if not user.is_active:
             raise UserNotActiveException("User account is not active")
 
+        if not user.is_email_verified:
+            raise EmailNotVerifiedException()
+
         # Update last_login timestamp
         user.last_login = datetime.now(UTC)
         db.commit()  # SVC-006 - Login must persist last_login timestamp
@@ -159,6 +163,9 @@ class AuthService:
         if not user.is_active:
             raise UserNotActiveException("User account is not active")
 
+        if not user.is_email_verified:
+            raise EmailNotVerifiedException()
+
         # Verify user owns at least one active merchant
         merchant_count = (
             db.query(Merchant)