Checkpoint: password reset, rule expiry, migrations

- Self-service and admin password-change endpoints
  (PUT /v1/auth/password, PUT /v1/accounts/{id}/password)
- Policy rule time-scoped expiry (not_before / expires_at)
  with migration 000006 and engine filtering
- golang-migrate integration; embedded SQL migrations
- PolicyRecord fieldalignment lint fix

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

web/templates/fragments/policy_form.html

@@ -72,6 +72,16 @@
       Owner must match subject (self-service rules only)
     </label>
   </div>
+  <div style="display:grid;grid-template-columns:1fr 1fr;gap:.5rem;margin-bottom:.5rem">
+    <div>
+      <label class="text-small text-muted">Not before (UTC, optional)</label>
+      <input class="form-control" type="datetime-local" name="not_before" style="font-size:.85rem">
+    </div>
+    <div>
+      <label class="text-small text-muted">Expires at (UTC, optional)</label>
+      <input class="form-control" type="datetime-local" name="expires_at" style="font-size:.85rem">
+    </div>
+  </div>
   <button class="btn btn-sm btn-secondary" type="submit">Create Rule</button>
 </form>
 {{end}}