feat(phase-39): role-based access control overhaul + forced password change

- Add must_change_password field to User model with migration b023

- Add POST /auth/change-password endpoint with password policy validation

- Add require_password_changed dependency to block requests until password is changed

- Add ChangePasswordModal with live password policy checklist (forced on first login)

- Show password policy in CreateUserModal and EditUserModal

- Fix backend permissions: tests, campaigns, templates, reports, evidence, worklogs

- red_tech/blue_tech: execute only, cannot create tests/campaigns/templates

- red_lead/blue_lead: create/edit tests/campaigns/templates, generate reports, no system access

- viewer: read-only everywhere, can generate reports

- Fix frontend role checks across TestDetailPage, TestDetailHeader, TeamTabs, TestsPage, CampaignsPage, CampaignDetailPage, Sidebar

backend/app/schemas/user.py

@@ -83,6 +83,18 @@ class UserUpdate(BaseModel):
 
 # ── Read (full) ─────────────────────────────────────────────────────
 
+class PasswordChange(BaseModel):
+    """Payload for changing the current user's password."""
+
+    current_password: str
+    new_password: str
+
+    @field_validator("new_password")
+    @classmethod
+    def new_password_strength(cls, v: str) -> str:
+        return _validate_password_strength(v)
+
+
 class UserOut(BaseModel):
     """Complete representation returned by the API."""
 
@@ -91,6 +103,7 @@ class UserOut(BaseModel):
     email: str | None = None
     role: str
     is_active: bool
+    must_change_password: bool = True
     created_at: datetime | None = None
     last_login: datetime | None = None