fix(audit): MEDIUMs sweep — mobile More-sheet, portal profile, inline override, dialog UX, ext-EOI gate

R2-M11: mobile More-sheet missing 4 destinations. Added Reservations,
Notifications, Residential, Website analytics — anyone using mobile
chrome to triage on the go can now reach those domains.

R2-M12: portal had no profile / change-password surface. New
/portal/profile page with read-only contact details + a
ChangePasswordForm component, backed by a new POST
/api/portal/auth/change-password endpoint and
changePortalPassword() service function. Audits both ok and failure
cases at warning severity. Added Profile to PortalNav.

R2-M1: portal dashboard "My Memberships" tile had no href and no
/portal/memberships route — dead-end on tap. Hidden until a
memberships page ships; the count remains in the underlying data.

R2-M7: InlineStagePicker never sent override:true so users with
interests.override_stage couldn't actually use the perm from the
inline chip — they had to fall back to the modal picker. Now the
picker auto-detects when a transition isn't legal AND the user has
override_stage, sets override:true, and supplies a default reason.

Frontend M2: hard-delete-dialog confirm stage now has a "Send a new
code" link in case the original expired before the user could enter
it. Avoids forcing a full Cancel + reopen.

Frontend M4: audit-log-list date-range validation. From > To now
shows an inline error and skips the request rather than firing an
empty-range query that surfaces "no entries found".

R2-M6: external-EOI route now requires interests.edit AND
documents.upload_signed (defense-in-depth) — uploading a signed EOI
mutates interest state, so the upload-signed perm alone shouldn't
let a custom role flip an interest.

1175/1175 vitest passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/lib/services/portal-auth.service.ts

@@ -159,6 +159,54 @@ export async function resendActivation(portalUserId: string, portId: string): Pr
   });
 }
 
+// ─── Self-service password change (logged-in portal user) ───────────────────
+
+export async function changePortalPassword(args: {
+  portalUserId: string;
+  currentPassword: string;
+  newPassword: string;
+}): Promise<void> {
+  if (args.newPassword.length < MIN_PASSWORD_LENGTH) {
+    throw new ValidationError(`Password must be at least ${MIN_PASSWORD_LENGTH} characters`);
+  }
+  const user = await db.query.portalUsers.findFirst({
+    where: eq(portalUsers.id, args.portalUserId),
+  });
+  if (!user || !user.isActive || !user.passwordHash) {
+    throw new UnauthorizedError('Account not found');
+  }
+  const ok = await verifyPassword(args.currentPassword, user.passwordHash);
+  if (!ok) {
+    void createAuditLog({
+      userId: null,
+      portId: user.portId,
+      action: 'password_change',
+      entityType: 'portal_user',
+      entityId: user.id,
+      metadata: { ok: false, reason: 'wrong_current_password' },
+      severity: 'warning',
+      source: 'auth',
+    });
+    throw new UnauthorizedError('Current password is incorrect');
+  }
+  const passwordHash = await hashPassword(args.newPassword);
+  await db
+    .update(portalUsers)
+    .set({ passwordHash, updatedAt: new Date() })
+    .where(eq(portalUsers.id, user.id));
+
+  void createAuditLog({
+    userId: null,
+    portId: user.portId,
+    action: 'password_change',
+    entityType: 'portal_user',
+    entityId: user.id,
+    metadata: { ok: true },
+    severity: 'info',
+    source: 'auth',
+  });
+}
+
 // ─── Activation: client sets their initial password ──────────────────────────
 
 export async function activateAccount(rawToken: string, password: string): Promise<void> {