fix: return 409 when unverified OAuth email conflicts with existing account

Before: branch 3 of oauth_callback attempted to INSERT a user with a
duplicate email → DB constraint violation → 500.

After: if email_verified=False and the email already exists, raise 409
with a message directing the user to sign in with their password.

Also adds test_callback_unverified_email_conflict_returns_409.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

tests/test_auth.py

@@ -341,3 +341,18 @@ class TestOAuth:
         oauth_sub = self._decode_sub(resp.json()["access_token"])
         # OAuth login must resolve to the same user as the original registration
         assert orig_sub == oauth_sub
+
+    def test_callback_unverified_email_conflict_returns_409(self, client, monkeypatch) -> None:
+        """Unverified Google email matching an existing account returns 409, not 500."""
+        email = "conflict@example.com"
+        reg_resp = client.post(
+            "/api/v1/auth/register",
+            json={"email": email, "password": "TestPass123!"},
+        )
+        assert reg_resp.status_code == 201
+
+        self._patch_google(monkeypatch)
+        state = self._authorize(client)
+        resp = self._callback(client, state, self._userinfo(email=email, email_verified=False))
+
+        assert resp.status_code == 409