feat: add account management, email verification, AI fixes, and user guides

- Profile settings, account transfer, delete/leave account flows
- Email verification with JWT tokens and Resend integration
- AI assistant/copilot fixes: markdown rendering, shared RAG helpers,
  token tracking, input refocus, model_validate usage
- User guides hub + detail pages with 13 topic guides
- Sidebar and top bar navigation for guides

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/api/endpoints/auth.py

@@ -15,6 +15,7 @@ from app.core.security import (
     create_access_token,
     create_refresh_token,
     create_password_reset_token,
+    create_email_verification_token,
     decode_token,
     hash_token,
 )
@@ -24,7 +25,7 @@ from app.models.refresh_token import RefreshToken
 from app.models.account import Account
 from app.models.subscription import Subscription
 from app.models.account_invite import AccountInvite
-from app.schemas.user import UserCreate, UserResponse, UserLogin
+from app.schemas.user import UserCreate, UserResponse, UserLogin, UserUpdate
 from app.schemas.token import Token
 from app.schemas.auth_password import (
     ChangePasswordRequest,
@@ -34,6 +35,7 @@ from app.schemas.auth_password import (
     ResetPasswordRequest,
 )
 from app.models.password_reset_token import PasswordResetToken
+from app.models.email_verification_token import EmailVerificationToken
 from app.core.email import EmailService
 from app.api.deps import get_current_active_user, get_refresh_token_payload
 from app.core.audit import log_audit
@@ -351,6 +353,54 @@ async def get_me(
     return current_user
 
 
+@router.patch("/me", response_model=UserResponse)
+async def update_me(
+    data: UserUpdate,
+    current_user: Annotated[User, Depends(get_current_active_user)],
+    db: Annotated[AsyncSession, Depends(get_db)]
+):
+    """Update current user's profile (name, email)."""
+    update_fields = data.model_fields_set - {"current_password"}
+    if not update_fields:
+        return current_user
+
+    # Email change requires current_password
+    if "email" in data.model_fields_set:
+        if not data.current_password:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Current password is required to change email"
+            )
+        if not verify_password(data.current_password, current_user.password_hash):
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Current password is incorrect"
+            )
+        # Check uniqueness
+        result = await db.execute(
+            select(User).where(User.email == data.email, User.id != current_user.id)
+        )
+        if result.scalar_one_or_none():
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Email already registered"
+            )
+        current_user.email = data.email
+
+    if "name" in data.model_fields_set and data.name is not None:
+        current_user.name = data.name
+
+    # Handle simple string profile fields
+    for field in ("phone", "job_title", "timezone"):
+        if field in data.model_fields_set:
+            setattr(current_user, field, getattr(data, field))
+
+    await log_audit(db, current_user.id, "auth.profile_update", "user", current_user.id)
+    await db.commit()
+    await db.refresh(current_user)
+    return current_user
+
+
 @router.post("/logout")
 async def logout(
     payload: Annotated[dict, Depends(get_refresh_token_payload)],
@@ -543,3 +593,97 @@ async def reset_password(
     await db.commit()
 
     return {"message": "Password has been reset successfully"}
+
+
+@router.post("/email/send-verification")
+@limiter.limit("3/minute")
+async def send_verification_email(
+    request: Request,
+    current_user: Annotated[User, Depends(get_current_active_user)],
+    db: Annotated[AsyncSession, Depends(get_db)]
+):
+    """Send an email verification link to the current user."""
+    if current_user.email_verified_at is not None:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Email is already verified"
+        )
+
+    raw_token = create_email_verification_token(str(current_user.id))
+    payload = decode_token(raw_token)
+    if payload and payload.get("jti"):
+        token_record = EmailVerificationToken(
+            token_hash=hash_token(payload["jti"]),
+            user_id=current_user.id,
+            expires_at=datetime.fromtimestamp(payload["exp"], tz=timezone.utc),
+        )
+        db.add(token_record)
+        await db.commit()
+
+        verification_url = f"{settings.FRONTEND_URL}/verify-email?token={raw_token}"
+        await EmailService.send_email_verification_email(
+            to_email=current_user.email,
+            verification_url=verification_url,
+        )
+
+    return {"message": "Verification email sent"}
+
+
+@router.post("/email/verify")
+async def verify_email(
+    data: dict,
+    db: Annotated[AsyncSession, Depends(get_db)]
+):
+    """Verify an email using a token. Public endpoint."""
+    token = data.get("token")
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Token is required"
+        )
+
+    payload = decode_token(token)
+    if not payload or payload.get("type") != "email_verification":
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid or expired verification token"
+        )
+
+    jti = payload.get("jti")
+    user_id = payload.get("sub")
+    if not jti or not user_id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid verification token"
+        )
+
+    result = await db.execute(
+        select(EmailVerificationToken).where(
+            EmailVerificationToken.token_hash == hash_token(jti)
+        )
+    )
+    token_record = result.scalar_one_or_none()
+
+    if not token_record or not token_record.is_valid:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Verification token has already been used or has expired"
+        )
+
+    # Mark token as used
+    token_record.used_at = datetime.now(timezone.utc)
+
+    # Mark user email as verified
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid verification token"
+        )
+
+    user.email_verified_at = datetime.now(timezone.utc)
+    await log_audit(db, user.id, "auth.email_verified", "user", user.id)
+    await db.commit()
+
+    return {"message": "Email verified successfully"}