Password
Forgot-password flow (request + confirm).
Request a password reset code
Triggers Cognito ForgotPassword for the user's tenant. Always returns `{ ok: true }` for unknown users so the endpoint cannot enumerate accounts.
Confirm a password reset code and set a new password
Calls Cognito `ConfirmForgotPassword`. On password-policy failure the response includes the tenant's active policy plus a human-readable message so the SPA can surface the rules. Unknown emails return `{ ok: true }` for enumeration safety.