## Context Self-hosted deployments using local auth (non-OIDC) have no password reset flow. A user who forgets their password requires admin DB intervention. ## Acceptance criteria - [ ] "Forgot password" link on login screen (only visible when local auth is enabled) - [ ] Backend: time-limited reset token, single use - [ ] Email delivery via the same hook as invitations (#87) - [ ] Reset flow lands on a password update screen - [ ] Old session tokens invalidated after successful reset - [ ] Audit log entry `auth.password_reset` ## Related - Part of User Management UI work for v0.7 (#87, #89)
Context
Self-hosted deployments using local auth (non-OIDC) have no password reset flow. A user who forgets their password requires admin DB intervention.
Acceptance criteria
auth.password_resetRelated