feat: enforce mustChangePassword redirect in router guards

[Aureliolo]

Summary

When the backend sets mustChangePassword: true on a user profile, the web dashboard should enforce a redirect to a /change-password route, preventing navigation to any other page until the password is changed. Currently, mustChangePassword is only surfaced as a toast notification in LoginPage.vue — there is no route-level enforcement.

Context

This was identified during PR #344 review (round 2 external feedback). A TODO comment has been added in web/src/router/guards.ts:

// TODO(#mustChangePassword): Enforce mustChangePassword redirect when
// /change-password route and page are added in the page-views PR.
// Currently only surfaced as a toast in LoginPage.vue.

Requirements

Must have

1. Add /change-password route — new page-level component (web/src/views/ChangePasswordPage.vue) with current/new/confirm password fields
2. Router guard enforcement — in web/src/router/guards.ts, if auth.user?.mustChangePassword is true, redirect to /change-password on every navigation (except /change-password itself and /logout)
3. Password change API call — add endpoint wrapper in web/src/api/endpoints/auth.ts to call the backend's change-password endpoint
4. On success — clear the mustChangePassword flag on the local user profile and redirect to the originally intended route

Should have

5. Budget store fetch param tracking — the lastFetchParams tracking added in PR feat: web dashboard core infrastructure (PR 1 of 2) #344 to web/src/stores/budget.ts should be validated end-to-end with the /change-password flow (ensure budget WS events still respect active filters after re-auth)
6. Approvals store active query tracking — the activeFilters ref added in PR feat: web dashboard core infrastructure (PR 1 of 2) #344 to web/src/stores/approvals.ts should be validated end-to-end similarly (ensure approval WS events only insert into unfiltered views after re-auth)

Nice to have

7. Password strength indicator — visual feedback on new password strength
8. Session invalidation — optionally invalidate other sessions after password change

Blocked by

This requires the page-views PR (PR 2) to land first, since /change-password is a new view/route.

Related

• PR feat: web dashboard core infrastructure (PR 1 of 2) #344 — where the TODO was added
• web/src/router/guards.ts — location of the TODO comment
• web/src/views/LoginPage.vue — current toast-only handling
• web/src/views/SetupPage.vue — same toast-only handling