Checkpoint: password reset, rule expiry, migrations

- Self-service and admin password-change endpoints
  (PUT /v1/auth/password, PUT /v1/accounts/{id}/password)
- Policy rule time-scoped expiry (not_before / expires_at)
  with migration 000006 and engine filtering
- golang-migrate integration; embedded SQL migrations
- PolicyRecord fieldalignment lint fix

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/templates/account_detail.html

@@ -44,4 +44,15 @@
   <h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Tags</h2>
   <div id="tags-editor">{{template "tags_editor" .}}</div>
 </div>
+{{if eq (string .Account.AccountType) "human"}}
+<div class="card">
+  <h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Reset Password</h2>
+  <p class="text-muted text-small" style="margin-bottom:.75rem">
+    Set a new password for this account. All active sessions will be revoked.
+  </p>
+  <div id="password-reset-section">
+    {{template "password_reset_form" .}}
+  </div>
+</div>
+{{end}}
 {{end}}