From 1fccec575324c3e91d02e176a066850c6c85e2fb Mon Sep 17 00:00:00 2001
From: jester <admin@zerolaghub.com>
Date: Tue, 28 Apr 2026 20:24:04 +0000
Subject: [PATCH] Track API change password endpoint

---
 Codex/API/CURRENT_STATE.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Codex/API/CURRENT_STATE.md b/Codex/API/CURRENT_STATE.md
index 420da84..b0fe3fc 100644
--- a/Codex/API/CURRENT_STATE.md
+++ b/Codex/API/CURRENT_STATE.md
@@ -88,6 +88,8 @@ This file records what is believed to be implemented now.
 - Password reset request now delivers email through the configured support mailbox SMTP path first, with optional Resend fallback and console-link fallback for local development.
 - Password reset request routes are `POST /api/auth/password-reset/request` and alias `POST /api/auth/forgot-password`.
 - Password reset confirm routes are `POST /api/auth/password-reset/confirm` and alias `POST /api/auth/reset-password`.
+- Logged-in password change is available at `POST /api/auth/change-password` with bearer auth and body `{ currentPassword, newPassword }`.
+- Logged-in password change verifies the current password, enforces the same 8-character minimum, updates the password hash, and marks outstanding password reset tokens used.
 - Reset links use `RESET_PASSWORD_URL_BASE`, then `PORTAL_URL`, then `http://localhost:3000`, and point at `/reset-password?token=...`.
 - Reset request responses remain generic to avoid account enumeration.
 - Reset confirmation rejects passwords shorter than 8 characters and marks all outstanding reset tokens for that user used after a successful password change.