feat: account management — change email, password, and CLI reset (#10)

API:
- PATCH /auth/me — update email and display name
- PATCH /auth/me/password — change password (requires current)
- GET /auth/me now returns full profile (email, full_name, role)

CLI:
- python -m src.cli.reset_password --email <email> --password <pw>
  for recovery when locked out (run via docker exec)

Admin UI:
- User menu dropdown on the top nav (click username → Account /
  Sign out) replaces the inline sign-out link
- /account page with profile form (email + display name) and
  change password form (current + new + confirm)

apps/api/src/cli/reset_password.py

@@ -0,0 +1,67 @@
+"""Reset a user's password from the command line.
+
+Usage:
+    docker exec consentos-api python -m src.cli.reset_password \\
+        --email admin@example.com --password new-secret
+
+For use when the password has been forgotten and the admin UI is
+inaccessible. Connects directly to the database, so it must run
+inside a container (or host) that can reach PostgreSQL.
+"""
+
+from __future__ import annotations
+
+import argparse
+import sys
+
+import sqlalchemy as sa
+
+
+def _build_sync_url(async_url: str) -> str:
+    return async_url.replace("postgresql+asyncpg://", "postgresql://")
+
+
+def reset(email: str, password: str) -> bool:
+    """Reset the password for the given email. Returns True on success."""
+    from src.config.settings import get_settings
+    from src.services.auth import hash_password
+
+    settings = get_settings()
+    engine = sa.create_engine(_build_sync_url(settings.database_url))
+
+    with engine.begin() as conn:
+        result = conn.execute(
+            sa.text("SELECT id FROM users WHERE email = :email AND deleted_at IS NULL"),
+            {"email": email},
+        )
+        row = result.fetchone()
+        if row is None:
+            return False
+
+        conn.execute(
+            sa.text("UPDATE users SET password_hash = :pw, updated_at = NOW() WHERE id = :id"),
+            {"pw": hash_password(password), "id": str(row[0])},
+        )
+
+    return True
+
+
+def main() -> None:
+    parser = argparse.ArgumentParser(description="Reset a user's password")
+    parser.add_argument("--email", required=True, help="User email address")
+    parser.add_argument("--password", required=True, help="New password")
+    args = parser.parse_args()
+
+    if len(args.password) < 8:
+        print("Error: password must be at least 8 characters", file=sys.stderr)
+        sys.exit(1)
+
+    if reset(args.email, args.password):
+        print(f"Password reset for {args.email}")
+    else:
+        print(f"Error: no active user found with email {args.email}", file=sys.stderr)
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

apps/api/src/routers/auth.py

@@ -8,11 +8,20 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from src.config.settings import get_settings
 from src.db import get_db
 from src.models.user import User
-from src.schemas.auth import CurrentUser, LoginRequest, RefreshRequest, TokenResponse
+from src.schemas.auth import (
+    ChangePasswordRequest,
+    CurrentUser,
+    LoginRequest,
+    ProfileResponse,
+    RefreshRequest,
+    TokenResponse,
+    UpdateProfileRequest,
+)
 from src.services.auth import (
     create_access_token,
     create_refresh_token,
     decode_token,
+    hash_password,
     verify_password,
 )
 from src.services.dependencies import get_current_user
@@ -102,7 +111,74 @@ async def refresh(
     )
 
 
-@router.get("/me", response_model=CurrentUser)
-async def get_me(current_user: CurrentUser = Depends(get_current_user)) -> CurrentUser:
-    """Return the currently authenticated user's profile from the JWT."""
-    return current_user
+@router.get("/me", response_model=ProfileResponse)
+async def get_me(
+    current_user: CurrentUser = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+) -> User:
+    """Return the currently authenticated user's profile."""
+    result = await db.execute(
+        select(User).where(User.id == current_user.id, User.deleted_at.is_(None))
+    )
+    user = result.scalar_one_or_none()
+    if user is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    return user
+
+
+@router.patch("/me", response_model=ProfileResponse)
+async def update_profile(
+    body: UpdateProfileRequest,
+    current_user: CurrentUser = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+) -> User:
+    """Update the current user's email or display name."""
+    result = await db.execute(
+        select(User).where(User.id == current_user.id, User.deleted_at.is_(None))
+    )
+    user = result.scalar_one_or_none()
+    if user is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+
+    if body.email is not None:
+        # Check uniqueness
+        existing = await db.execute(
+            select(User).where(User.email == body.email, User.id != current_user.id)
+        )
+        if existing.scalar_one_or_none() is not None:
+            raise HTTPException(
+                status_code=status.HTTP_409_CONFLICT,
+                detail="Email already in use",
+            )
+        user.email = body.email
+
+    if body.full_name is not None:
+        user.full_name = body.full_name
+
+    await db.flush()
+    await db.refresh(user)
+    return user
+
+
+@router.patch("/me/password", status_code=status.HTTP_204_NO_CONTENT)
+async def change_password(
+    body: ChangePasswordRequest,
+    current_user: CurrentUser = Depends(get_current_user),
+    db: AsyncSession = Depends(get_db),
+) -> None:
+    """Change the current user's password. Requires the current password."""
+    result = await db.execute(
+        select(User).where(User.id == current_user.id, User.deleted_at.is_(None))
+    )
+    user = result.scalar_one_or_none()
+    if user is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+
+    if not verify_password(body.current_password, user.password_hash):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Current password is incorrect",
+        )
+
+    user.password_hash = hash_password(body.new_password)
+    await db.flush()

apps/api/src/schemas/auth.py

@@ -29,6 +29,26 @@ class TokenPayload(BaseModel):
     type: str = "access"  # "access" or "refresh"
 
 
+class ChangePasswordRequest(BaseModel):
+    current_password: str
+    new_password: str
+
+
+class UpdateProfileRequest(BaseModel):
+    email: EmailStr | None = None
+    full_name: str | None = None
+
+
+class ProfileResponse(BaseModel):
+    id: uuid.UUID
+    email: str
+    full_name: str
+    role: str
+    organisation_id: uuid.UUID
+
+    model_config = {"from_attributes": True}
+
+
 class CurrentUser(BaseModel):
     """Represents the authenticated user extracted from a JWT."""
 

apps/api/tests/test_auth.py

@@ -4,6 +4,7 @@ import uuid
 from datetime import UTC, datetime, timedelta
 
 import pytest
+from httpx import ASGITransport, AsyncClient
 from jose import JWTError, jwt
 
 from src.config.settings import get_settings
@@ -140,7 +141,11 @@ class TestAuthEndpoints:
         response = await client.get("/api/v1/auth/me")
         assert response.status_code == 401
 
-    async def test_me_with_valid_token(self, client):
+    async def test_me_with_valid_token(self, app):
+        from unittest.mock import AsyncMock, MagicMock
+
+        from src.db import get_db
+
         user_id = uuid.uuid4()
         org_id = uuid.uuid4()
         token = create_access_token(
@@ -149,10 +154,34 @@ class TestAuthEndpoints:
             role="editor",
             email="user@example.com",
         )
-        response = await client.get(
-            "/api/v1/auth/me",
-            headers={"Authorization": f"Bearer {token}"},
-        )
+
+        mock_user = MagicMock()
+        mock_user.id = user_id
+        mock_user.organisation_id = org_id
+        mock_user.email = "user@example.com"
+        mock_user.full_name = "Test User"
+        mock_user.role = "editor"
+        mock_user.deleted_at = None
+
+        mock_session = AsyncMock()
+        mock_result = MagicMock()
+        mock_result.scalar_one_or_none.return_value = mock_user
+        mock_session.execute.return_value = mock_result
+
+        async def _override():
+            yield mock_session
+
+        app.dependency_overrides[get_db] = _override
+
+        transport = ASGITransport(app=app)
+        async with AsyncClient(transport=transport, base_url="http://test") as client:
+            response = await client.get(
+                "/api/v1/auth/me",
+                headers={"Authorization": f"Bearer {token}"},
+            )
+
+        app.dependency_overrides.pop(get_db, None)
+
         assert response.status_code == 200
         data = response.json()
         assert data["id"] == str(user_id)

apps/api/tests/test_routers_auth.py

@@ -117,7 +117,8 @@ class TestMeEndpoint:
             role="owner",
             email="admin@test.com",
         )
-        db = _mock_db()
+        mock_user = _make_user(id=user_id, org_id=org_id, email="admin@test.com", role="owner")
+        db = _mock_db(scalar_one_or_none=mock_user)
         async with await _client(mock_app, db) as client:
             resp = await client.get(
                 "/api/v1/auth/me",