feat: user management — admin create, password reset, archive/delete, quick invite

Phase 1: must_change_password enforcement + change password endpoint/page
Phase 2: Admin user creation (M365-style) with temp password
Phase 3: Password reset (self-service forgot + admin-triggered)
Phase 4: User archive (soft delete) + hard delete with precheck
Phase 5: Quick invite from admin Users page

Also fixes:
- Auto-create subscription for accounts missing one
- Hard delete precheck ignores sole-member personal accounts
- Seed script patches tree nodes for validation compliance

Migrations: 031 (must_change_password), 032 (password_reset_tokens), 033 (user soft delete)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/alembic/versions/033_add_soft_delete_to_users.py

@@ -0,0 +1,32 @@
+"""add soft delete to users
+
+Revision ID: 033
+Revises: 032
+Create Date: 2026-02-12
+
+Adds deleted_at and deleted_by columns to users table for soft delete (archive).
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects.postgresql import UUID
+
+
+# revision identifiers, used by Alembic.
+revision: str = '033'
+down_revision: Union[str, None] = '032'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    op.add_column('users', sa.Column('deleted_at', sa.DateTime(timezone=True), nullable=True))
+    op.add_column('users', sa.Column('deleted_by', UUID(as_uuid=True), sa.ForeignKey('users.id'), nullable=True))
+    op.create_index('ix_users_deleted_at', 'users', ['deleted_at'])
+
+
+def downgrade() -> None:
+    op.drop_index('ix_users_deleted_at', table_name='users')
+    op.drop_column('users', 'deleted_by')
+    op.drop_column('users', 'deleted_at')