aad9bd683b
§4 settings-save backend (no schema change; User already has phone/avatar_url): - me/ now GET+PATCH (update name/phone/email) - POST me/password/ — verify old password, set new (>=8), reissue token - POST me/avatar/ — multipart -> TOS upload -> presigned avatar_url Verified: profile PATCH 200, password change round-trip 200, original login restored. Note: notification/theme prefs have no User storage field -> will persist client-side (no migrate per rules). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>