feat(settings): password change, 2FA enable/disable, API-key UI + Swagger; fix Owner RBAC drift

Settings was missing self-service account security and any API-key UI:
- Account security (new Security tab): change password (POST /auth/change-password
  — verifies current via Argon2, rejects unchanged), enable 2FA (wires the
  existing /auth/2fa/setup QR + /auth/2fa/verify), and disable 2FA (new
  POST /auth/2fa/disable, requires a current code so a hijacked session can't
  strip the second factor).
- New API tab: create/list/revoke per-license API keys (the overnight backend
  had no UI), plaintext shown once, plus an 'API docs' button to /api/docs (Swagger).

Root-cause RBAC fix — the system-default Owner role enumerated per-resource
wildcards (server.*, wipe.*, ...) and drifted: apikeys, webhooks, alerts,
analytics, chat, schedules, notifications, map, users and ALL plugin-config
modules (plus singular plugin.* vs granted plugins.*) were locked out for any
non-super-admin Owner. Owner = full control of its license:
- migration 025 sets the Owner role to {"*": true}
- PermissionsGuard honors '*' as allow-all
- frontend hasPermission honors '*' and resource.* wildcards (was exact-match
  only, so wildcard-based roles silently failed)

Backend tsc + frontend build green. NOTE: migration 025 auto-applies on a fresh
DB (Saturday); the live DB needs the one-line UPDATE applied to unlock the API
tab for a non-super-admin owner.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

backend-nest/src/common/guards/permissions.guard.ts

@@ -28,6 +28,10 @@ export class PermissionsGuard implements CanActivate {
     const permissions = user.permissions as Record<string, boolean> | undefined;
     if (!permissions) return false;
 
+    // Global wildcard — the Owner role (full control of its license) carries
+    // {"*": true}, so new features never need to amend the role enumeration.
+    if (permissions['*'] === true) return true;
+
     // Support wildcard: "server.*" matches "server.view", "server.console", etc.
     const parts = requiredPermission.split('.');
     const wildcard = parts[0] + '.*';

backend-nest/src/modules/auth/auth.controller.ts

@@ -13,6 +13,7 @@ import { LoginDto } from './dto/login.dto';
 import { RefreshTokenDto } from './dto/refresh-token.dto';
 import { VerifyTotpDto } from './dto/verify-totp.dto';
 import { UpdateProfileDto } from './dto/update-profile.dto';
+import { ChangePasswordDto } from './dto/change-password.dto';
 import { ForgotPasswordDto } from './dto/forgot-password.dto';
 import { ResetPasswordDto } from './dto/reset-password.dto';
 import { Public } from '../../common/decorators/public.decorator';
@@ -61,6 +62,30 @@ export class AuthController {
     return this.authService.verifyTotp(userId, dto.code);
   }
 
+  @Post('2fa/disable')
+  @ApiBearerAuth()
+  @ApiOperation({ summary: 'Disable TOTP 2FA (requires a current code)' })
+  async disableTotp(
+    @CurrentUser('sub') userId: string,
+    @Body() dto: VerifyTotpDto,
+  ) {
+    return this.authService.disableTotp(userId, dto.code);
+  }
+
+  @Post('change-password')
+  @ApiBearerAuth()
+  @ApiOperation({ summary: 'Change the current user password' })
+  async changePassword(
+    @CurrentUser('sub') userId: string,
+    @Body() dto: ChangePasswordDto,
+  ) {
+    return this.authService.changePassword(
+      userId,
+      dto.current_password,
+      dto.new_password,
+    );
+  }
+
   @Get('me')
   @ApiBearerAuth()
   @ApiOperation({ summary: 'Get current user profile' })

backend-nest/src/modules/auth/auth.service.ts

@@ -335,6 +335,56 @@ export class AuthService {
     throw new NotImplementedException('Password reset not yet configured');
   }
 
+  async changePassword(userId: string, currentPassword: string, newPassword: string) {
+    const user = await this.userRepository.findOne({ where: { id: userId } });
+    if (!user) {
+      throw new NotFoundException('User not found');
+    }
+
+    const valid = await argon2.verify(user.password_hash, currentPassword);
+    if (!valid) {
+      throw new UnauthorizedException('Current password is incorrect');
+    }
+
+    if (await argon2.verify(user.password_hash, newPassword)) {
+      throw new BadRequestException('New password must be different from the current one');
+    }
+
+    const password_hash = await argon2.hash(newPassword);
+    await this.userRepository.update(user.id, { password_hash });
+    this.logger.log(`Password changed for user ${user.id}`);
+
+    // NOTE: existing JWTs remain valid until expiry — this design has no
+    // server-side refresh-token store to revoke. Session invalidation on
+    // password change is a follow-up (tracked separately).
+    return { success: true };
+  }
+
+  async disableTotp(userId: string, code: string) {
+    const user = await this.userRepository.findOne({ where: { id: userId } });
+    if (!user) {
+      throw new NotFoundException('User not found');
+    }
+
+    if (!user.totp_enabled) {
+      throw new BadRequestException('2FA is not enabled');
+    }
+
+    // Require a valid current code — proves possession of the second factor
+    // before removing it, so a hijacked session can't silently strip 2FA.
+    const valid = await this.verifyTotpCode(user, code);
+    if (!valid) {
+      throw new UnauthorizedException('Invalid TOTP code');
+    }
+
+    await this.userRepository.update(user.id, {
+      totp_enabled: false,
+      totp_secret: null,
+    });
+    this.logger.log(`TOTP disabled for user ${user.id}`);
+    return { success: true };
+  }
+
   // Helper methods
 
   private async generateTokens(user: User, licenseId?: string) {

backend-nest/src/modules/auth/dto/change-password.dto.ts

@@ -0,0 +1,14 @@
+import { IsString, MinLength, MaxLength } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';
+
+export class ChangePasswordDto {
+  @ApiProperty({ description: 'Current account password' })
+  @IsString()
+  current_password: string;
+
+  @ApiProperty({ description: 'New password', minLength: 8, maxLength: 128 })
+  @IsString()
+  @MinLength(8)
+  @MaxLength(128)
+  new_password: string;
+}