feat(organizations): require email verification before domain-based auto-join

[PierreBrisorgueil]

Problem

Domain is auto-set from the creator's email without ownership verification. This enables domain squatting — any user with a matching email can claim a domain and trigger auto-join for future users.

Proposed fix

• Block domain matching and auto-join until emailVerified: true on the user account
• Add explicit domain ownership verification flow before allowing domain-based features

References

• modules/organizations/services/organizations.crud.service.js (create + searchByDomain)
• modules/organizations/services/organizations.service.js (signup flow)