Code-review fixes on the Authentik/budget/Resend work:
- UpsertForwardUser: avoid 500 lockout on username UNIQUE collision and
on the concurrent first-login race; normalize emails (lower+trim) so
case variants don't create duplicate accounts.
- Centralize email management in Authentik: when forward-auth mode is on,
email is read-only in Veola for every user (not just forward rows);
pure-local deployments keep editable email for Resend.
- Fail closed on per-user isolation: ownedItem rejects uid==0/orphaned
items; dashboard and global results error on a userless request.
- Budget accuracy: count Apify usage only after a successful run, and
count the billed Test Apify run.
- Efficiency: resolve the deal-email recipient once per poll; build the
settings page once in PostEmailPrefs.