diff --git a/Codex/Portal/CURRENT_STATE.md b/Codex/Portal/CURRENT_STATE.md
index 933f764..d1418b6 100644
--- a/Codex/Portal/CURRENT_STATE.md
+++ b/Codex/Portal/CURRENT_STATE.md
@@ -48,7 +48,18 @@ This file records what is implemented now.
 
 ## Billing / auth / onboarding
 - billing UI alignment exists with the newer billing state model.
-- forgot/reset password flow exists.
+- forgot/reset password flow exists:
+  - login includes a `Forgot password?` link to `/forgot-password`
+  - `/forgot-password` posts `{ email }` to `POST /api/auth/password-reset/request`
+  - the Portal always shows `If the account exists, a reset link has been sent.` for account-lookup-style responses
+  - `/reset-password?token=...` reads `token`, validates 8+ character password and confirmation match, then posts `{ token, password }` to `POST /api/auth/password-reset/confirm`
+  - missing, invalid, or expired reset tokens show `This reset link is invalid or has expired.`
+  - successful reset does not auto-login; Portal leaves the user with login navigation
+- profile change-password UI exists:
+  - profile includes current password, new password, and confirm new password fields
+  - client validation requires an 8+ character new password and matching confirmation
+  - submit uses authenticated `POST /api/auth/change-password` with `{ currentPassword, newPassword }`
+  - successful change clears the password fields and reports success without changing login/session state
 - first-login onboarding flow exists.
 - Next 16 / current TypeScript cleanup included fixes around nullable normalization and search-param/Suspense usage in affected pages/components.