feat(phase-39): role-based access control overhaul + forced password change

- Add must_change_password field to User model with migration b023

- Add POST /auth/change-password endpoint with password policy validation

- Add require_password_changed dependency to block requests until password is changed

- Add ChangePasswordModal with live password policy checklist (forced on first login)

- Show password policy in CreateUserModal and EditUserModal

- Fix backend permissions: tests, campaigns, templates, reports, evidence, worklogs

- red_tech/blue_tech: execute only, cannot create tests/campaigns/templates

- red_lead/blue_lead: create/edit tests/campaigns/templates, generate reports, no system access

- viewer: read-only everywhere, can generate reports

- Fix frontend role checks across TestDetailPage, TestDetailHeader, TeamTabs, TestsPage, CampaignsPage, CampaignDetailPage, Sidebar

frontend/src/pages/CampaignDetailPage.tsx

@@ -70,7 +70,7 @@ export default function CampaignDetailPage() {
   };
 
   const role = user?.role ?? "";
-  const canManage = role === "admin" || role === "red_tech";
+  const canManage = role === "admin" || role === "red_lead" || role === "blue_lead";
   const canComplete = role === "admin" || role === "red_lead";
 
   const {

frontend/src/pages/CampaignsPage.tsx

@@ -56,7 +56,7 @@ export default function CampaignsPage() {
     target_platform: "",
   });
 
-  const canCreate = user?.role === "admin" || user?.role === "red_tech";
+  const canCreate = user?.role === "admin" || user?.role === "red_lead" || user?.role === "blue_lead";
 
   const { data, isLoading, error } = useQuery({
     queryKey: ["campaigns", filters],

frontend/src/pages/TestDetailPage.tsx

@@ -344,10 +344,10 @@ export default function TestDetailPage() {
   const role = user?.role ?? "";
   const canSaveRed =
     (test.state === "draft" || test.state === "red_executing") &&
-    (role === "red_tech" || role === "admin");
+    (role === "red_tech" || role === "red_lead" || role === "admin");
   const canSaveBlue =
     test.state === "blue_evaluating" &&
-    (role === "blue_tech" || role === "admin");
+    (role === "blue_tech" || role === "blue_lead" || role === "admin");
 
   // ── Render ─────────────────────────────────────────────────────
 

frontend/src/pages/TestsPage.tsx

@@ -75,7 +75,7 @@ export default function TestsPage() {
   const { user } = useAuth();
 
   const canCreate =
-    user?.role === "admin" || user?.role === "red_tech";
+    user?.role === "admin" || user?.role === "red_lead" || user?.role === "blue_lead";
 
   // ── Filter state ──────────────────────────────────────────────────
   const [stateFilter, setStateFilter] = useState<TestState | "">("");

frontend/src/pages/UsersPage.tsx

@@ -12,6 +12,7 @@ import {
   Edit,
 } from "lucide-react";
 import { getUsers, createUser, updateUser, type UserOut, type UserCreatePayload } from "../api/users";
+import { PasswordPolicyChecklist } from "../components/ChangePasswordModal";
 
 const ROLES = [
   { value: "viewer", label: "Viewer" },
@@ -323,7 +324,11 @@ function CreateUserModal({ onClose, onSubmit, isSubmitting, error }: CreateUserM
                 errors.password ? "border-red-500" : "border-gray-700"
               }`}
             />
+            <PasswordPolicyChecklist password={formData.password} />
             {errors.password && <p className="mt-1 text-sm text-red-400">{errors.password}</p>}
+            <p className="mt-1 text-xs text-amber-400/70">
+              The user will be required to change this password on first login.
+            </p>
           </div>
 
           <div>
@@ -446,6 +451,9 @@ function EditUserModal({ user, onClose, onSubmit, isSubmitting, error }: EditUse
               className="mt-1 w-full rounded-lg border border-gray-700 bg-gray-800 px-3 py-2 text-gray-200"
               placeholder="••••••••"
             />
+            {formData.password.length > 0 && (
+              <PasswordPolicyChecklist password={formData.password} />
+            )}
           </div>
 
           <div className="flex justify-end gap-3 pt-4">