alembic: add users.password_changed_at column

Backfills existing rows from created_at, then enforces NOT NULL.
Existing sessions without a pw_changed_at marker will be rejected
on next request once the freshness check lands (one-time forced
re-login post-deploy).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

l4d2web/alembic/versions/0009_user_password_changed_at.py

@@ -0,0 +1,32 @@
+"""users.password_changed_at
+
+Revision ID: 0009_user_password_changed_at
+Revises: 0008_user_active
+Create Date: 2026-05-11
+"""
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+
+revision: str = "0009_user_password_changed_at"
+down_revision: Union[str, Sequence[str], None] = "0008_user_active"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    with op.batch_alter_table("users") as batch_op:
+        batch_op.add_column(sa.Column("password_changed_at", sa.DateTime(), nullable=True))
+    op.execute(
+        "UPDATE users SET password_changed_at = created_at "
+        "WHERE password_changed_at IS NULL"
+    )
+    with op.batch_alter_table("users") as batch_op:
+        batch_op.alter_column("password_changed_at", nullable=False)
+
+
+def downgrade() -> None:
+    with op.batch_alter_table("users") as batch_op:
+        batch_op.drop_column("password_changed_at")