Checkpoint: password reset, rule expiry, migrations

- Self-service and admin password-change endpoints
  (PUT /v1/auth/password, PUT /v1/accounts/{id}/password)
- Policy rule time-scoped expiry (not_before / expires_at)
  with migration 000006 and engine filtering
- golang-migrate integration; embedded SQL migrations
- PolicyRecord fieldalignment lint fix

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/model/model.go

@@ -167,18 +167,24 @@ type PGCredAccessGrant struct {
 const (
 	EventPGCredAccessGranted = "pgcred_access_granted" //nolint:gosec // G101: audit event type, not a credential
 	EventPGCredAccessRevoked = "pgcred_access_revoked" //nolint:gosec // G101: audit event type, not a credential
+
+	EventPasswordChanged = "password_changed"
 )
 
 // PolicyRuleRecord is the database representation of a policy rule.
 // RuleJSON holds a JSON-encoded policy.RuleBody (all match and effect fields).
 // The ID, Priority, and Description are stored as dedicated columns.
+// NotBefore and ExpiresAt define an optional validity window; nil means no
+// constraint (always active / never expires).
 type PolicyRuleRecord struct {
-	CreatedAt   time.Time `json:"created_at"`
-	UpdatedAt   time.Time `json:"updated_at"`
-	CreatedBy   *int64    `json:"-"`
-	Description string    `json:"description"`
-	RuleJSON    string    `json:"rule_json"`
-	ID          int64     `json:"id"`
-	Priority    int       `json:"priority"`
-	Enabled     bool      `json:"enabled"`
+	CreatedAt   time.Time  `json:"created_at"`
+	UpdatedAt   time.Time  `json:"updated_at"`
+	NotBefore   *time.Time `json:"not_before,omitempty"`
+	ExpiresAt   *time.Time `json:"expires_at,omitempty"`
+	CreatedBy   *int64     `json:"-"`
+	Description string     `json:"description"`
+	RuleJSON    string     `json:"rule_json"`
+	ID          int64      `json:"id"`
+	Priority    int        `json:"priority"`
+	Enabled     bool       `json:"enabled"`
 }