feat: password reset, email change with verification, and password change

Password reset: multi-app support with custom notification linking to correct
frontend (app/portal/admin). Email change: self-service with password
confirmation and admin-initiated, both sending verification to new address
with 24h expiry. Confirmation sent to old email on completion. Password
change: authenticated endpoint revoking other sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/app/Http/Controllers/Api/V1/MemberController.php

@@ -10,7 +10,9 @@ use App\Http\Resources\Api\V1\MemberCollection;
 use App\Http\Resources\Api\V1\MemberResource;
 use App\Models\Organisation;
 use App\Models\User;
+use App\Services\EmailChangeService;
 use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Gate;
 
 final class MemberController extends Controller
@@ -81,4 +83,30 @@ final class MemberController extends Controller
 
         return response()->json(null, 204);
     }
+
+    /**
+     * POST /api/v1/organisations/{organisation}/members/{user}/change-email
+     * Admin changes a member's email (sends verification to new address).
+     */
+    public function changeEmail(Request $request, Organisation $organisation, User $user): JsonResponse
+    {
+        Gate::authorize('invite', $organisation);
+
+        $validated = $request->validate([
+            'new_email' => ['required', 'email', 'max:255'],
+        ]);
+
+        $frontendUrl = config('app.frontend_app_url');
+
+        app(EmailChangeService::class)->requestChange(
+            $user,
+            $validated['new_email'],
+            $request->user(),
+            $frontendUrl,
+        );
+
+        return $this->success(
+            message: 'Er is een verificatiemail verstuurd naar ' . $validated['new_email'] . '.',
+        );
+    }
 }