feat(auth): add ChangePasswordAsync with other-session revocation and audit

API/ROLAC.API/Services/IAuthService.cs

@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.Identity;
 using ROLAC.API.DTOs.Auth;
 using ROLAC.API.Entities;
 
@@ -30,6 +31,20 @@ public interface IAuthService
     /// </summary>
     Task LogoutAsync(string rawRefreshToken);
 
+    /// <summary>
+    /// Changes the password for an already-authenticated user. Verifies the current
+    /// password and enforces the configured Identity password policy via
+    /// <c>UserManager.ChangePasswordAsync</c>. On success, revokes the user's other
+    /// active refresh tokens (keeping the one matching <paramref name="currentRawRefreshToken"/>)
+    /// and writes a security audit entry. Returns the <see cref="IdentityResult"/> so the
+    /// caller can surface failures; never throws on a bad password.
+    /// </summary>
+    Task<IdentityResult> ChangePasswordAsync(
+        string  userId,
+        string  currentPassword,
+        string  newPassword,
+        string? currentRawRefreshToken);
+
     /// <summary>
     /// Builds the UserInfo payload (identity, roles, and effective permissions) for an
     /// already-authenticated user. Used by GET /api/auth/me to refresh permissions