feat: 实现密码重置功能与用户搜索API，优化注册登录流程

- 新增忘记密码页面与重置密码确认流程（前端+后端）
- 修复注册验证码页登录跳转路由
- 新增用户搜索API（按邮箱查询）
- 简化infra脚本，统一为app.sh
- 补充密码重置与用户API测试覆盖
- 更新runtime文档与AGENTS配置

backend/src/v1/auth/router.py

@@ -10,6 +10,8 @@ from v1.auth.rate_limit import enforce_rate_limit
 from v1.auth.dependencies import get_auth_service
 from v1.users.dependencies import get_current_user
 from v1.auth.schemas import (
+    PasswordResetConfirmRequest,
+    PasswordResetRequest,
     SessionCreateRequest,
     SessionDeleteRequest,
     SessionRefreshRequest,
@@ -123,3 +125,33 @@ async def get_user_by_email(
     if current_user.role != "service_role" and current_user.email != email:
         raise HTTPException(status_code=403, detail="Forbidden")
     return await service.get_user_by_email(email)
+
+
+@router.post("/password-reset", status_code=204)
+async def request_password_reset(
+    payload: PasswordResetRequest,
+    service: AuthService = Depends(get_auth_service),
+) -> Response:
+    await enforce_rate_limit(
+        scope="password_reset_request",
+        identifier=payload.email,
+        limit=5,
+        window_seconds=60,
+    )
+    await service.request_password_reset(payload)
+    return Response(status_code=204)
+
+
+@router.post("/password-reset/confirm", status_code=204)
+async def confirm_password_reset(
+    payload: PasswordResetConfirmRequest,
+    service: AuthService = Depends(get_auth_service),
+) -> Response:
+    await enforce_rate_limit(
+        scope="password_reset_confirm",
+        identifier=payload.email,
+        limit=10,
+        window_seconds=600,
+    )
+    await service.confirm_password_reset(payload)
+    return Response(status_code=204)