feat: remind SBP bundle users when they change their emails

[amandazhuyilan]

Description

SBP-398: Auto-revoke SBP bundle when a user changes to a non-institutional email

Changes

• On email-change confirmation (POST /me/profile/email/continue), if the user holds an approved SBP bundle and the new email is non-institutional, automatically revoke the bundle and its backing Auth0 role (via existing GroupMembership.revoke()).
• Adds tri-state check_australian_research_institution_email() returning True/False/None; revocation only fires on a definitive non-institutional result — an indeterminate result (e.g. upstream outage) is logged and left untouched, so a transient failure never wrongly strips access.
• Existing is_australian_research_institution_email() now delegates to the tri-state helper; its False-on-error contract (used by registration/request gates) is unchanged.
• Remove biocommons.org.au that was whitelisted in the Australian Institutional list previously - now its added

Related front end changes: AustralianBioCommons/aai-portal#244

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have added unit / integration tests that prove my fix is effective or that my feature works
• I have run all tests locally and they pass
• I have updated the documentation (if applicable)
• For any new secrets, I have updated the shared spreadsheet and the GitHub Secrets.

How to Test Manually (if necessary)

uv run pytest

[marius-mather]

Looks good, just want to clarify how we record the revocation

[marius-mather]

good to go