feat: password reset, email change with verification, and password change

Password reset: multi-app support with custom notification linking to correct
frontend (app/portal/admin). Email change: self-service with password
confirmation and admin-initiated, both sending verification to new address
with 24h expiry. Confirmation sent to old email on completion. Password
change: authenticated endpoint revoking other sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/database/migrations/2026_04_14_300000_create_email_change_requests_table.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('email_change_requests', function (Blueprint $table) {
+            $table->ulid('id')->primary();
+            $table->ulid('user_id');
+            $table->string('current_email');
+            $table->string('new_email');
+            $table->string('token');
+            $table->ulid('requested_by_user_id')->nullable();
+            $table->string('status')->default('pending');
+            $table->timestamp('expires_at');
+            $table->timestamp('verified_at')->nullable();
+            $table->timestamps();
+
+            $table->foreign('user_id')->references('id')->on('users')->cascadeOnDelete();
+            $table->foreign('requested_by_user_id')->references('id')->on('users')->nullOnDelete();
+            $table->index(['user_id', 'status']);
+            $table->index(['token']);
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('email_change_requests');
+    }
+};