Restores the lost `mcpctl passwd` command and builds the backend it needs.
Backend (mcpd):
- POST /api/v1/users/me/password — self-service change, requires current
password. Gated by a new `set-own-password` operation.
- PUT /api/v1/users/:id/password — admin reset of another user, gated by
edit:users (admins have edit:*). Added users name-resolver for CUID→email.
- UserService.setPassword/verifyPassword; UserRepository.update accepts
passwordHash + findByIdWithHash.
RBAC, no exceptions: self password change is a default, admin-revocable
permission. Every new user gets a `self-<id>` RbacDefinition granting
`set-own-password`, seeded on create + bootstrap, gated by the
`allowSelfPasswordChange` system setting (stored in the mcpctl-system-settings
secret, default ON; admins disable globally or revoke per-user).
CLI: src/cli/src/commands/passwd.ts (self vs admin paths) + completions.
Tests: users-password route tests (8), auth-bootstrap grant assertion,
passwd live smoke test. Full suite 2214 passing; zero new lint errors.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2cceeb7093