feat: email unsubscribe tokens with one-click opt-out

- Migration 0019: email_unsubscribe_token column on users (unique, indexed)
- Token auto-generated on first email address save (same pattern as RSS token)
- GET /api/notifications/unsubscribe/{token} — no auth required, sets
  email_enabled=False and returns a branded HTML confirmation page
- List-Unsubscribe + List-Unsubscribe-Post headers on every email
  (improves deliverability; enables one-click unsubscribe in Gmail/Outlook)
- Unsubscribe link appended to email body plain text

Authored by: Jack Levy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/api/notifications.py

@@ -7,7 +7,7 @@ from xml.etree.ElementTree import Element, SubElement, tostring
 
 import httpx
 from fastapi import APIRouter, Depends, HTTPException
-from fastapi.responses import Response
+from fastapi.responses import HTMLResponse, Response
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 
@@ -119,6 +119,9 @@ async def update_notification_settings(
 
     if not user.rss_token:
         user.rss_token = secrets.token_urlsafe(32)
+    # Generate unsubscribe token the first time an email address is saved
+    if prefs.get("email_address") and not user.email_unsubscribe_token:
+        user.email_unsubscribe_token = secrets.token_urlsafe(32)
 
     await db.commit()
     await db.refresh(user)
@@ -371,6 +374,51 @@ async def test_follow_mode(
         return NotificationTestResult(status="error", detail=f"Connection error: {e}")
 
 
+@router.get("/unsubscribe/{token}", response_class=HTMLResponse, include_in_schema=False)
+async def email_unsubscribe(token: str, db: AsyncSession = Depends(get_db)):
+    """One-click email unsubscribe — no login required."""
+    result = await db.execute(
+        select(User).where(User.email_unsubscribe_token == token)
+    )
+    user = result.scalar_one_or_none()
+
+    if not user:
+        return HTMLResponse(
+            _unsubscribe_page("Invalid or expired link", success=False),
+            status_code=404,
+        )
+
+    prefs = dict(user.notification_prefs or {})
+    prefs["email_enabled"] = False
+    user.notification_prefs = prefs
+    await db.commit()
+
+    return HTMLResponse(_unsubscribe_page("You've been unsubscribed from PocketVeto email notifications.", success=True))
+
+
+def _unsubscribe_page(message: str, success: bool) -> str:
+    color = "#16a34a" if success else "#dc2626"
+    icon = "✓" if success else "✗"
+    return f"""<!DOCTYPE html>
+<html lang="en">
+<head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>PocketVeto — Unsubscribe</title>
+<style>
+  body{{font-family:system-ui,sans-serif;background:#f9fafb;display:flex;align-items:center;justify-content:center;min-height:100vh;margin:0}}
+  .card{{background:#fff;border:1px solid #e5e7eb;border-radius:12px;padding:2.5rem;max-width:420px;width:100%;text-align:center;box-shadow:0 1px 3px rgba(0,0,0,.08)}}
+  .icon{{font-size:2.5rem;color:{color};margin-bottom:1rem}}
+  h1{{font-size:1.1rem;font-weight:600;color:#111827;margin:0 0 .5rem}}
+  p{{font-size:.9rem;color:#6b7280;margin:0 0 1.5rem;line-height:1.5}}
+  a{{color:#2563eb;text-decoration:none;font-size:.875rem}}a:hover{{text-decoration:underline}}
+</style></head>
+<body><div class="card">
+  <div class="icon">{icon}</div>
+  <h1>Email Notifications</h1>
+  <p>{message}</p>
+  <a href="/">Return to PocketVeto</a>
+</div></body></html>"""
+
+
 @router.get("/feed/{rss_token}.xml", include_in_schema=False)
 async def rss_feed(rss_token: str, db: AsyncSession = Depends(get_db)):
     """Public tokenized RSS feed — no auth required."""