feat(frontend): add forgot-password and reset-password pages

- /forgot-password: email form → sends POST /api/auth/forgot-password → success banner
- /reset-password: password form reads token from URL → sends POST /api/auth/reset-password
- Login page: add "Passwort vergessen?" link
- hooks.server.ts: add /forgot-password and /reset-password to PUBLIC_PATHS; skip auth
  injection for public auth API endpoints
- errors.ts: add INVALID_RESET_TOKEN error code
- i18n: add all new message keys in de/en/es
- playwright.config.ts: use E2E_BASE_URL for webServer check URL (allows reusing docker
  dev server at port 5173 locally)
- ci.yml: pass E2E_BACKEND_URL=http://localhost:8080 to E2E test step
- e2e/password-reset.spec.ts: 5 tests (4 pass locally, full flow requires e2e profile in CI)
- Regenerated OpenAPI types including new /api/auth/* endpoints

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

frontend/src/routes/forgot-password/+page.server.ts

@@ -0,0 +1,20 @@
+import { fail } from '@sveltejs/kit';
+import type { Actions } from './$types';
+import { createApiClient } from '$lib/api.server';
+
+export const actions = {
+	default: async ({ request, fetch }) => {
+		const formData = await request.formData();
+		const email = formData.get('email') as string;
+
+		if (!email) {
+			return fail(400, { error: 'Email is required' });
+		}
+
+		const api = createApiClient(fetch);
+		await api.POST('/api/auth/forgot-password', { body: { email } });
+
+		// Always return success — never disclose whether the email exists
+		return { success: true };
+	}
+} satisfies Actions;

frontend/src/routes/forgot-password/+page.svelte

@@ -0,0 +1,84 @@
+<script lang="ts">
+import { m } from '$lib/paraglide/messages.js';
+
+let { form }: { form?: { error?: string; success?: boolean } } = $props();
+</script>
+
+<div class="relative flex min-h-screen flex-col bg-white">
+	<!-- Accent strip -->
+	<div class="h-1 bg-brand-purple"></div>
+
+	<div class="flex flex-1 items-center justify-center px-4">
+		<div class="w-full max-w-sm">
+			<!-- Logo -->
+			<div class="mb-10 text-center">
+				<a href="/" class="inline-flex items-center" aria-label="Familienarchiv">
+					<span class="font-sans text-2xl font-bold tracking-widest text-brand-navy uppercase"
+						>Familienarchiv</span
+					>
+				</a>
+			</div>
+
+			<!-- Card -->
+			<div class="rounded-sm border border-brand-sand bg-white p-8 shadow-sm">
+				<h1 class="mb-6 font-sans text-sm font-bold tracking-widest text-brand-navy uppercase">
+					{m.forgot_password_heading()}
+				</h1>
+
+				{#if form?.success}
+					<div class="mb-5 rounded-sm border border-green-200 bg-green-50 px-4 py-3">
+						<p class="font-sans text-xs text-green-700">{m.forgot_password_success()}</p>
+					</div>
+
+					<a
+						href="/login"
+						class="font-sans text-xs text-gray-400 transition-colors hover:text-brand-navy"
+						>{m.forgot_password_back_to_login()}</a
+					>
+				{:else}
+					<form method="POST" class="space-y-5">
+						<div>
+							<label
+								for="email"
+								class="mb-1.5 block font-sans text-xs font-bold tracking-widest text-gray-500 uppercase"
+								>{m.forgot_password_email_label()}</label
+							>
+							<input
+								type="email"
+								name="email"
+								id="email"
+								required
+								autocomplete="email"
+								class="block w-full border border-gray-300 px-3 py-2.5 font-serif text-sm text-brand-navy placeholder-gray-400 focus:border-brand-navy focus:ring-1 focus:ring-brand-navy focus:outline-none"
+							/>
+						</div>
+
+						{#if form?.error}
+							<div class="text-center font-sans text-xs font-medium text-red-600">{form.error}</div>
+						{/if}
+
+						<button
+							type="submit"
+							class="mt-2 w-full bg-brand-navy py-2.5 font-sans text-xs font-bold tracking-widest text-white uppercase transition-colors hover:bg-brand-navy/90"
+						>
+							{m.forgot_password_submit()}
+						</button>
+
+						<div class="mt-4 text-center">
+							<a
+								href="/login"
+								class="font-sans text-xs text-gray-400 transition-colors hover:text-brand-navy"
+								>{m.forgot_password_back_to_login()}</a
+							>
+						</div>
+					</form>
+				{/if}
+			</div>
+		</div>
+	</div>
+
+	<!-- Footer -->
+	<div class="py-4 text-center">
+		<p class="font-sans text-xs tracking-widest text-gray-300 uppercase">Familienarchiv</p>
+	</div>
+</div>

frontend/src/routes/login/+page.svelte

@@ -89,6 +89,14 @@ const activeLocale = $derived(getLocale().toUpperCase());
 					>
 						{m.login_btn_submit()}
 					</button>
+
+					<div class="mt-4 text-center">
+						<a
+							href="/forgot-password"
+							class="font-sans text-xs text-gray-400 transition-colors hover:text-brand-navy"
+							>{m.login_forgot_password()}</a
+						>
+					</div>
 				</form>
 			</div>
 		</div>

frontend/src/routes/reset-password/+page.server.ts

@@ -0,0 +1,34 @@
+import { fail } from '@sveltejs/kit';
+import type { Actions, PageServerLoad } from './$types';
+import { createApiClient } from '$lib/api.server';
+import { parseBackendError } from '$lib/errors';
+
+export const load: PageServerLoad = async ({ url }) => {
+	const token = url.searchParams.get('token');
+	return { token };
+};
+
+export const actions = {
+	default: async ({ request, fetch }) => {
+		const formData = await request.formData();
+		const token = formData.get('token') as string;
+		const newPassword = formData.get('newPassword') as string;
+		const confirmPassword = formData.get('confirmPassword') as string;
+
+		if (newPassword !== confirmPassword) {
+			return fail(400, { error: 'MISMATCH' });
+		}
+
+		const api = createApiClient(fetch);
+		const result = await api.POST('/api/auth/reset-password', {
+			body: { token, newPassword }
+		});
+
+		if (!result.response.ok) {
+			const backendError = await parseBackendError(result.response);
+			return fail(400, { error: backendError?.code ?? 'INTERNAL_ERROR' });
+		}
+
+		return { success: true };
+	}
+} satisfies Actions;

frontend/src/routes/reset-password/+page.svelte

@@ -0,0 +1,113 @@
+<script lang="ts">
+import { m } from '$lib/paraglide/messages.js';
+import { getErrorMessage } from '$lib/errors';
+
+let {
+	data,
+	form
+}: {
+	data: { token: string | null };
+	form?: { error?: string; success?: boolean };
+} = $props();
+</script>
+
+<div class="relative flex min-h-screen flex-col bg-white">
+	<!-- Accent strip -->
+	<div class="h-1 bg-brand-purple"></div>
+
+	<div class="flex flex-1 items-center justify-center px-4">
+		<div class="w-full max-w-sm">
+			<!-- Logo -->
+			<div class="mb-10 text-center">
+				<a href="/" class="inline-flex items-center" aria-label="Familienarchiv">
+					<span class="font-sans text-2xl font-bold tracking-widest text-brand-navy uppercase"
+						>Familienarchiv</span
+					>
+				</a>
+			</div>
+
+			<!-- Card -->
+			<div class="rounded-sm border border-brand-sand bg-white p-8 shadow-sm">
+				<h1 class="mb-6 font-sans text-sm font-bold tracking-widest text-brand-navy uppercase">
+					{m.reset_password_heading()}
+				</h1>
+
+				{#if form?.success}
+					<div class="mb-5 rounded-sm border border-green-200 bg-green-50 px-4 py-3">
+						<p class="font-sans text-xs text-green-700">{m.reset_password_success()}</p>
+					</div>
+
+					<a
+						href="/login"
+						class="font-sans text-xs text-gray-400 transition-colors hover:text-brand-navy"
+						>{m.forgot_password_back_to_login()}</a
+					>
+				{:else}
+					<form method="POST" class="space-y-5">
+						<input type="hidden" name="token" value={data.token ?? ''} />
+
+						<div>
+							<label
+								for="newPassword"
+								class="mb-1.5 block font-sans text-xs font-bold tracking-widest text-gray-500 uppercase"
+								>{m.reset_password_label()}</label
+							>
+							<input
+								type="password"
+								name="newPassword"
+								id="newPassword"
+								required
+								autocomplete="new-password"
+								class="block w-full border border-gray-300 px-3 py-2.5 font-serif text-sm text-brand-navy placeholder-gray-400 focus:border-brand-navy focus:ring-1 focus:ring-brand-navy focus:outline-none"
+							/>
+						</div>
+
+						<div>
+							<label
+								for="confirmPassword"
+								class="mb-1.5 block font-sans text-xs font-bold tracking-widest text-gray-500 uppercase"
+								>{m.reset_password_confirm_label()}</label
+							>
+							<input
+								type="password"
+								name="confirmPassword"
+								id="confirmPassword"
+								required
+								autocomplete="new-password"
+								class="block w-full border border-gray-300 px-3 py-2.5 font-serif text-sm text-brand-navy placeholder-gray-400 focus:border-brand-navy focus:ring-1 focus:ring-brand-navy focus:outline-none"
+							/>
+						</div>
+
+						{#if form?.error}
+							<div class="text-center font-sans text-xs font-medium text-red-600">
+								{form.error === 'MISMATCH'
+									? m.reset_password_mismatch()
+									: getErrorMessage(form.error)}
+							</div>
+						{/if}
+
+						<button
+							type="submit"
+							class="mt-2 w-full bg-brand-navy py-2.5 font-sans text-xs font-bold tracking-widest text-white uppercase transition-colors hover:bg-brand-navy/90"
+						>
+							{m.reset_password_submit()}
+						</button>
+
+						<div class="mt-4 text-center">
+							<a
+								href="/login"
+								class="font-sans text-xs text-gray-400 transition-colors hover:text-brand-navy"
+								>{m.forgot_password_back_to_login()}</a
+							>
+						</div>
+					</form>
+				{/if}
+			</div>
+		</div>
+	</div>
+
+	<!-- Footer -->
+	<div class="py-4 text-center">
+		<p class="font-sans text-xs tracking-widest text-gray-300 uppercase">Familienarchiv</p>
+	</div>
+</div>