harden(db): case-insensitive email unique index + dup-email test; list_users pagination TODO; from_db note

crates/db/src/users.rs

@@ -78,7 +78,8 @@ pub async fn credentials_by_email<'e, E>(
 where
     E: sqlx::PgExecutor<'e>,
 {
-    let sql = format!("SELECT {USER_COLUMNS}, password_hash FROM app_user WHERE email = $1");
+    // Match the `lower(email)` unique index; `email` is already normalized by callers.
+    let sql = format!("SELECT {USER_COLUMNS}, password_hash FROM app_user WHERE lower(email) = $1");
 
     let row = sqlx::query(&sql)
         .bind(email)
@@ -96,6 +97,7 @@ where
 }
 
 /// List all users, ordered by email.
+// TODO: add LIMIT/keyset pagination before exposing this via the API.
 pub async fn list_users<'e, E>(executor: E) -> Result<Vec<User>, sqlx::Error>
 where
     E: sqlx::PgExecutor<'e>,