feat: settings page exercises the password-change endpoint

The 0.10.0 backend endpoint had no UI caller — the audit flagged it
as either-ship-a-form-or-remove-the-endpoint dead code. Shipping the
form, plus the bearer-token-keeps-working regression test the audit
asked for to pin the docstring contract.

Backend:
- New test change_password_via_bearer_leaves_bearer_working asserts
  that PATCH /me/password called with Authorization: Bearer wipes
  cookie sessions but leaves the bearer (api_token) intact and usable
  — matches the docstring claim that bot tokens are opt-in to revoke.

Frontend:
- lib/api/auth.ts: new changePassword(input) wrapping PATCH
  /v1/auth/me/password. Vitest covers happy 204, 401 unauthenticated
  (wrong current), 400 invalid_input (weak new) — same envelope
  parsing shape used elsewhere.
- routes/settings/+page.svelte: minimal form with current /
  new / confirm fields, derived passwordsMatch + canSubmit guards
  (submit stays disabled until current is filled, new is ≥8 chars,
  new == confirm). Shows the API's message inline on failure.
  Documents the "other devices signed out, bot tokens stay" UX in a
  short hint.
- routes/+layout.svelte: new "Settings" link in the session-aware
  nav (between username and Logout) for authed users only.
- e2e/settings.spec.ts (5 cases): nav link reaches the form,
  successful change shows confirmation + clears the form, 401
  surfaces inline, password mismatch keeps submit disabled, anonymous
  user gets a sign-in prompt instead of the form.

Lockstep version bump to 0.11.0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

frontend/e2e/settings.spec.ts

@@ -0,0 +1,109 @@
+import { test, expect, type Page } from '@playwright/test';
+
+const userFixture = {
+    id: 'u1',
+    username: 'alice',
+    created_at: '2026-01-01T00:00:00Z'
+};
+
+async function stubAuthenticated(page: Page) {
+    await page.route('**/api/v1/auth/me', (route) =>
+        route.fulfill({
+            status: 200,
+            contentType: 'application/json',
+            body: JSON.stringify({ user: userFixture })
+        })
+    );
+}
+
+test('settings link shows for authed users and reaches the password form', async ({ page }) => {
+    await stubAuthenticated(page);
+    await page.route('**/api/v1/mangas?*', (route) =>
+        route.fulfill({
+            status: 200,
+            contentType: 'application/json',
+            body: JSON.stringify({ items: [], page: { limit: 50, offset: 0, total: 0 } })
+        })
+    );
+
+    await page.goto('/');
+    await expect(page.getByTestId('nav-settings')).toBeVisible();
+    await page.getByTestId('nav-settings').click();
+    await expect(page).toHaveURL(/\/settings$/);
+    await expect(page.getByTestId('password-form')).toBeVisible();
+});
+
+test('changing password shows success and clears the form', async ({ page }) => {
+    await stubAuthenticated(page);
+    let patchCalls = 0;
+    let patchBody: unknown = null;
+    await page.route('**/api/v1/auth/me/password', async (route) => {
+        patchCalls += 1;
+        patchBody = JSON.parse(route.request().postData() ?? '{}');
+        await route.fulfill({ status: 204 });
+    });
+
+    await page.goto('/settings');
+    await page.getByTestId('current-password').fill('hunter2hunter2');
+    await page.getByTestId('new-password').fill('freshpassfreshpass');
+    await page.getByTestId('confirm-password').fill('freshpassfreshpass');
+    await page.getByTestId('password-submit').click();
+
+    await expect(page.getByTestId('password-success')).toContainText('Password updated');
+    expect(patchCalls).toBe(1);
+    expect(patchBody).toEqual({
+        current_password: 'hunter2hunter2',
+        new_password: 'freshpassfreshpass'
+    });
+    // Form should clear after success.
+    await expect(page.getByTestId('current-password')).toHaveValue('');
+});
+
+test('wrong current password surfaces the 401 envelope inline', async ({ page }) => {
+    await stubAuthenticated(page);
+    await page.route('**/api/v1/auth/me/password', (route) =>
+        route.fulfill({
+            status: 401,
+            contentType: 'application/json',
+            body: JSON.stringify({
+                error: { code: 'unauthenticated', message: 'unauthenticated' }
+            })
+        })
+    );
+
+    await page.goto('/settings');
+    await page.getByTestId('current-password').fill('definitelyNotIt');
+    await page.getByTestId('new-password').fill('freshpassfreshpass');
+    await page.getByTestId('confirm-password').fill('freshpassfreshpass');
+    await page.getByTestId('password-submit').click();
+
+    await expect(page.getByTestId('password-error')).toBeVisible();
+});
+
+test('mismatched new + confirm disables the submit button', async ({ page }) => {
+    await stubAuthenticated(page);
+
+    await page.goto('/settings');
+    await page.getByTestId('current-password').fill('hunter2hunter2');
+    await page.getByTestId('new-password').fill('freshpassfreshpass');
+    await page.getByTestId('confirm-password').fill('different');
+
+    await expect(page.getByTestId('mismatch')).toBeVisible();
+    await expect(page.getByTestId('password-submit')).toBeDisabled();
+});
+
+test('anonymous user sees a sign-in prompt on /settings', async ({ page }) => {
+    await page.route('**/api/v1/auth/me', (route) =>
+        route.fulfill({
+            status: 401,
+            contentType: 'application/json',
+            body: JSON.stringify({
+                error: { code: 'unauthenticated', message: 'unauthenticated' }
+            })
+        })
+    );
+
+    await page.goto('/settings');
+    await expect(page.getByTestId('settings-signin')).toBeVisible();
+    await expect(page.getByTestId('password-form')).toHaveCount(0);
+});