Because:
* Passkey authentication is a single-gesture ceremony that inherently proves
both possession and user presence, so the resulting session token should be
fully verified (AAL2) from the moment of creation — unlike email/TOTP flows
that require a separate verification step after the session exists.
This commit:
* Adds DB migration patch 188→189 introducing createVerifiedSessionToken_1, a stored procedure that INSERTs the session token with verificationMethod and verifiedAt already set in one operation, eliminating any AAL1 window
* Adds revert patch 189→188 (all statements commented per convention)
* Wires up RawSessionToken.createVerified (fxa-shared) and db.createPasskeyVerifiedSessionToken (fxa-auth-server) backed by the new procedure; the auth-server method name makes the passkey-specific use explicit, while RawSessionToken.createVerified stays generic for future pre-verified flows
* Replaces the two-step createSessionToken + verifyTokensWithMethod call in PasskeyHandler with a single db.createPasskeyVerifiedSessionToken call, removing the orphan-cleanup try/catch
* Updates passkey session token tests to reflect the atomic operation
Closes #FXA-13444