Verifies that on a successful change the digest rotates, the
password_changed_at advances, this session keeps working with the
re-stamped marker, and a parallel session forged from the
pre-change marker is rejected by load_current_user.
profile_password_change now writes a naive password_changed_at so
the in-memory marker matches what SQLite returns on next read.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Implements the change-password endpoint:
- Per-IP rate limit reusing services/rate_limit
- Required fields, mismatched-confirm, policy, wrong-current
branches each redirect with a specific ?error= key
- Rotates digest + password_changed_at, then re-stamps the
current session marker so this browser stays logged in
while other sessions get rejected by load_current_user
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds the page reachable from the username link in the header.
Renders the form skeleton; the POST handler lands in the next
commit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
