Auth: require email-verified by default for all app-data routes

Previously only 2 share-code routes required a verified email; every other
authenticated route (residences, tasks, contractors, documents, notifications,
subscription, users, uploads, media — ~70 routes) accepted an authenticated but
UNVERIFIED user. This inverts the default to verified-by-default.

- router.go: add a `verified` sub-group that applies RequireVerified() ONCE at
  the group level, and move all app-data route setups under it. Verification is
  now the default; new routes are gated automatically. The authenticated-only
  allow-list is just the sign-up surface (/auth/me, /auth/profile, /auth/account).
  Public stays: register, health, webhooks, lookups.
- kratos_auth.go: fix a latent bug the gating exposed — the Redis session cache
  stored the verified flag for 24h, so a user who verified their email mid-session
  was still seen as unverified until the TTL expired (sign up -> verify -> create
  residence would 403). Now only a cached verified=true is trusted (verification
  is sticky); a cached verified=false re-resolves the live status from Kratos.
- auth_safety_test.go: add RequireVerified unit tests (verified passes,
  unverified -> 403, no-user -> 401).

Validated: API gating test (unverified->403, verified->200) + full iOS XCUITest
suite green (211 passed) including the onboarding verify->use-immediately flow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

internal/router/router.go

@@ -342,29 +342,44 @@ func SetupRouter(deps *Dependencies) *echo.Echo {
 		// Subscription webhook routes (no auth - called by Apple/Google servers)
 		setupWebhookRoutes(api, subscriptionWebhookHandler)
 
-		// Protected routes (auth required)
+		// Authenticated routes (valid session required). This level is the
+		// sign-up / shell allow-list: an authenticated-but-UNVERIFIED user may
+		// call these (read their own user + verification status, complete their
+		// profile during sign-up). EVERYTHING else requires a verified email
+		// (see the `verified` sub-group below).
 		protected := api.Group("")
 		protected.Use(authMiddleware.Authenticate())
 		protected.Use(custommiddleware.TimezoneMiddleware())
 		{
+			// Allow-list — authenticated, may be unverified.
 			setupProtectedAuthRoutes(protected, authHandler)
-			setupResidenceRoutes(protected, residenceHandler, authMiddleware.RequireVerified())
-			setupTaskRoutes(protected, taskHandler)
-			setupSuggestionRoutes(protected, suggestionHandler)
-			setupContractorRoutes(protected, contractorHandler)
-			setupDocumentRoutes(protected, documentHandler)
-			setupNotificationRoutes(protected, notificationHandler)
-			setupSubscriptionRoutes(protected, subscriptionHandler)
-			setupUserRoutes(protected, userHandler)
 
-			// Upload routes (only if storage service is configured)
-			if uploadHandler != nil {
-				setupUploadRoutes(protected, uploadHandler)
-			}
+			// Verified routes (authenticated AND email-verified) — the DEFAULT
+			// for all app data and actions. RequireVerified is applied ONCE at
+			// the group level so verification is the default and every route
+			// added under here is gated automatically. (The previous per-route
+			// approach left ~70 routes unverified — see the LIVE auth audit.)
+			verified := protected.Group("")
+			verified.Use(authMiddleware.RequireVerified())
+			{
+				setupResidenceRoutes(verified, residenceHandler)
+				setupTaskRoutes(verified, taskHandler)
+				setupSuggestionRoutes(verified, suggestionHandler)
+				setupContractorRoutes(verified, contractorHandler)
+				setupDocumentRoutes(verified, documentHandler)
+				setupNotificationRoutes(verified, notificationHandler)
+				setupSubscriptionRoutes(verified, subscriptionHandler)
+				setupUserRoutes(verified, userHandler)
 
-			// Media routes (authenticated media serving)
-			if mediaHandler != nil {
-				setupMediaRoutes(protected, mediaHandler)
+				// Upload routes (only if storage service is configured)
+				if uploadHandler != nil {
+					setupUploadRoutes(verified, uploadHandler)
+				}
+
+				// Media routes (verified media serving)
+				if mediaHandler != nil {
+					setupMediaRoutes(verified, mediaHandler)
+				}
 			}
 		}
 	}
@@ -583,7 +598,7 @@ func setupPublicDataRoutes(api *echo.Group, residenceHandler *handlers.Residence
 }
 
 // setupResidenceRoutes configures residence routes
-func setupResidenceRoutes(api *echo.Group, residenceHandler *handlers.ResidenceHandler, requireVerified echo.MiddlewareFunc) {
+func setupResidenceRoutes(api *echo.Group, residenceHandler *handlers.ResidenceHandler) {
 	residences := api.Group("/residences")
 	{
 		residences.GET("/", residenceHandler.ListResidences)
@@ -598,11 +613,11 @@ func setupResidenceRoutes(api *echo.Group, residenceHandler *handlers.ResidenceH
 		residences.DELETE("/:id/", residenceHandler.DeleteResidence)
 
 		residences.GET("/:id/share-code/", residenceHandler.GetShareCode)
-		// Audit LIVE-L19: generating a residence share code requires a
-		// verified email — it blocks bad-faith unverified signups from
-		// minting share codes.
-		residences.POST("/:id/generate-share-code/", residenceHandler.GenerateShareCode, requireVerified)
-		residences.POST("/:id/generate-share-package/", residenceHandler.GenerateSharePackage, requireVerified)
+		// Verification is now enforced at the group level for ALL residence
+		// routes (see the `verified` group in SetupRouter) — the previous
+		// per-route RequireVerified on just these two is no longer needed.
+		residences.POST("/:id/generate-share-code/", residenceHandler.GenerateShareCode)
+		residences.POST("/:id/generate-share-package/", residenceHandler.GenerateSharePackage)
 		residences.POST("/:id/generate-tasks-report/", residenceHandler.GenerateTasksReport)
 		residences.GET("/:id/users/", residenceHandler.GetResidenceUsers)
 		residences.DELETE("/:id/users/:user_id/", residenceHandler.RemoveResidenceUser)