feat: account management — change email, password, and CLI reset (#10)

API:
- PATCH /auth/me — update email and display name
- PATCH /auth/me/password — change password (requires current)
- GET /auth/me now returns full profile (email, full_name, role)

CLI:
- python -m src.cli.reset_password --email <email> --password <pw>
  for recovery when locked out (run via docker exec)

Admin UI:
- User menu dropdown on the top nav (click username → Account /
  Sign out) replaces the inline sign-out link
- /account page with profile form (email + display name) and
  change password form (current + new + confirm)

docs/deployment-guide.md

@@ -690,6 +690,27 @@ Regardless of deployment method, verify these before going live:
 
 ---
 
+## Password Reset
+
+If you've forgotten your password and can't log in to the admin UI, reset it from the host machine:
+
+```bash
+docker exec consentos-api python -m src.cli.reset_password \
+  --email admin@example.com \
+  --password new-secret-here
+```
+
+The password must be at least 8 characters. The change takes effect immediately — no restart needed. On Kubernetes, run it as a one-off pod:
+
+```bash
+kubectl exec -it deploy/consentos-api -n consentos -- \
+  python -m src.cli.reset_password --email admin@example.com --password new-secret-here
+```
+
+Once logged back in, you can change your email and password from the **Account** page (click your name in the top nav → Account).
+
+---
+
 ## Troubleshooting
 
 | Symptom | Likely cause | Fix |