§4 settings-save backend (no schema change; User already has phone/avatar_url):
- me/ now GET+PATCH (update name/phone/email)
- POST me/password/ — verify old password, set new (>=8), reissue token
- POST me/avatar/ — multipart -> TOS upload -> presigned avatar_url
Verified: profile PATCH 200, password change round-trip 200, original login restored.
Note: notification/theme prefs have no User storage field -> will persist client-side (no migrate per rules).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
AssetFile.preview_url was stored blank on upload, so all thumbnails fell back to placeholders.
Make preview_url a SerializerMethodField that signs a TOS GET URL from object_key on read
(falls back to stored value, or "" when TOS unconfigured / no key). Verified: presigned URL
for an existing object returns HTTP 200 image/png.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
