feat: password reset flow with welcome emails

- POST /auth/forgot-password with welcome/reset email templates
- POST /auth/reset-password with Zod validation, 4-hour tokens
- Per-email rate limiting (3/hr) via Valkey, no user enumeration
- Login page "Forgot password?" toggle with inline form
- /reset-password page for setting new password from email link
- Initial user seed sends welcome email instead of requiring password
- CLI script for force-resetting passwords via kubectl exec
- APP_URL env var in chart, removed INITIAL_USER_PASSWORD

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

chart/templates/backend-deployment.yaml

@@ -93,18 +93,14 @@ spec:
                 secretKeyRef:
                   name: lunarfront-secrets
                   key: business-name
+            - name: APP_URL
+              value: "https://{{ .Values.ingress.host }}"
             - name: INITIAL_USER_EMAIL
               valueFrom:
                 secretKeyRef:
                   name: lunarfront-secrets
                   key: initial-user-email
                   optional: true
-            - name: INITIAL_USER_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: lunarfront-secrets
-                  key: initial-user-password
-                  optional: true
             - name: INITIAL_USER_FIRST_NAME
               valueFrom:
                 secretKeyRef: