diff --git a/Codex/API/CURRENT_STATE.md b/Codex/API/CURRENT_STATE.md
index 088b672..420da84 100644
--- a/Codex/API/CURRENT_STATE.md
+++ b/Codex/API/CURRENT_STATE.md
@@ -85,6 +85,13 @@ This file records what is believed to be implemented now.
 ## Billing / auth lifecycle
 - API issues access tokens and refresh tokens.
 - Password reset tokens are stored hashed and exchanged through API routes.
+- Password reset request now delivers email through the configured support mailbox SMTP path first, with optional Resend fallback and console-link fallback for local development.
+- Password reset request routes are `POST /api/auth/password-reset/request` and alias `POST /api/auth/forgot-password`.
+- Password reset confirm routes are `POST /api/auth/password-reset/confirm` and alias `POST /api/auth/reset-password`.
+- Reset links use `RESET_PASSWORD_URL_BASE`, then `PORTAL_URL`, then `http://localhost:3000`, and point at `/reset-password?token=...`.
+- Reset request responses remain generic to avoid account enumeration.
+- Reset confirmation rejects passwords shorter than 8 characters and marks all outstanding reset tokens for that user used after a successful password change.
+- Default reset sender is `ZeroLag Hub Support <support@zerolaghub.com>` and production SMTP is configured through `SMTP_HOST`, `SMTP_PORT`, `SMTP_SECURE`, `SMTP_USER`, and `SMTP_PASS`.
 - Stripe billing routes cover checkout, upgrade, downgrade, portal, and current billing state.
 - Stripe webhooks are mounted with raw body parsing before normal JSON middleware.
 - Billing scheduler starts in-process and performs limited reminder/reconciliation work.