feat: 实现密码重置功能与用户搜索API，优化注册登录流程

- 新增忘记密码页面与重置密码确认流程（前端+后端）
- 修复注册验证码页登录跳转路由
- 新增用户搜索API（按邮箱查询）
- 简化infra脚本，统一为app.sh
- 补充密码重置与用户API测试覆盖
- 更新runtime文档与AGENTS配置

backend/src/v1/auth/gateway.py

@@ -1,6 +1,7 @@
 from __future__ import annotations
 
 import asyncio
+from collections.abc import Mapping
 from typing import Any, cast
 
 from fastapi import HTTPException
@@ -10,6 +11,8 @@ from core.config.settings import SupabaseSettings, config
 from core.logging import get_logger
 from v1.auth.schemas import (
     AuthUser,
+    PasswordResetConfirmRequest,
+    PasswordResetRequest,
     SessionCreateRequest,
     SessionRefreshRequest,
     SessionResponse,
@@ -150,6 +153,64 @@ class SupabaseAuthGateway(AuthServiceGateway):
             ),
         )
 
+    async def request_password_reset(self, request: PasswordResetRequest) -> None:
+        try:
+            reset_email = cast(Any, self._client.auth.reset_password_email)
+            email = _coerce_reset_email(request.email)
+            if request.redirect_to:
+                options: dict[str, str] = {"redirect_to": request.redirect_to}
+                await asyncio.to_thread(reset_email, email, options=options)
+            else:
+                await asyncio.to_thread(reset_email, email)
+        except AuthError as exc:
+            logger.warning(
+                "Password reset request failed",
+                error_type=type(exc).__name__,
+            )
+
+    async def confirm_password_reset(
+        self, request: PasswordResetConfirmRequest
+    ) -> None:
+        verify_payload: dict[str, Any] = {
+            "type": "recovery",
+            "email": request.email,
+            "token": request.token,
+        }
+        try:
+            verify_otp = cast(Any, self._client.auth.verify_otp)
+            response = await asyncio.to_thread(verify_otp, verify_payload)
+            session = getattr(response, "session", None)
+            user = getattr(response, "user", None)
+            user_id = str(getattr(user, "id", "")) if user is not None else ""
+            if session is None or not user_id:
+                raise HTTPException(
+                    status_code=401, detail="Invalid or expired verification code"
+                )
+            await asyncio.to_thread(
+                self._admin_client.auth.admin.update_user_by_id,
+                user_id,
+                {"password": request.new_password},
+            )
+        except AuthError as exc:
+            logger.warning(
+                "Password reset confirm failed", error_type=type(exc).__name__
+            )
+            raise HTTPException(
+                status_code=401, detail="Invalid or expired verification code"
+            ) from exc
+
+
+def _coerce_reset_email(value: object) -> str:
+    if isinstance(value, str):
+        return value
+
+    if isinstance(value, Mapping):
+        nested = value.get("email") or value.get("value")
+        if isinstance(nested, str):
+            return nested
+
+    raise HTTPException(status_code=422, detail="Invalid email")
+
 
 def _map_auth_response(response: object, failure_message: str) -> SessionResponse:
     session = getattr(response, "session", None)