The email-only fallback built &user.User{Issuer: IssuerLocal, Email: cl.Email}.
GetUserWithEmail ANDs only non-zero fields, so an empty cl.Email degenerated the
lookup to issuer-only, matching an arbitrary local user and wrongly linking the
OIDC login to that account (account-takeover / wrong-link).
Guard the email-only branch to only run when cl.Email != "" so an empty email
falls through to user creation (nothing to safely match on). As defense in depth,
skip empty username candidates too, so no fallback search can ever degenerate to
issuer-only ({Issuer, Username:"", Email:""}).
This is a latent pre-existing issue (the pre-#2945 code had the same
searchUser.Email = cl.Email with no empty guard); the #2945 refactor only
surfaced it. Adds a regression test.