feat: password reset, email change with verification, and password change

Password reset: multi-app support with custom notification linking to correct
frontend (app/portal/admin). Email change: self-service with password
confirmation and admin-initiated, both sending verification to new address
with 24h expiry. Confirmation sent to old email on completion. Password
change: authenticated endpoint revoking other sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

api/tests/Feature/Security/AuthenticationSecurityTest.php

@@ -100,6 +100,7 @@ final class AuthenticationSecurityTest extends TestCase
     {
         $response = $this->postJson('/api/v1/auth/forgot-password', [
             'email' => 'nonexistent@example.com',
+            'app' => 'app',
         ]);
 
         // Must return 200 regardless — don't leak whether email exists
@@ -112,6 +113,7 @@ final class AuthenticationSecurityTest extends TestCase
 
         $response = $this->postJson('/api/v1/auth/forgot-password', [
             'email' => $user->email,
+            'app' => 'app',
         ]);
 
         $response->assertOk();