Root cause: the employee fixture used by the 'logs in active employees with a
signed token and company context' test did not include emailVerified: true,
so the auth.employee.service.login guard at line 108 correctly rejected the
login with 401 email_not_verified.
Changes:
- Added emailVerified: true to the shared employee fixture
- Added a new negative test that verifies login rejects employees with
emailVerified: false (401 email_not_verified)
The production email-verification guard in auth.employee.service.ts remains
unchanged and strictly enforced.