feat(cli): add nao reset-password command for local password recovery

[Rish-it]

Summary

Adds nao reset-password CLI command for local password recovery when SMTP is not configured (fixes #574).

Local deployments without SMTP have no password reset mechanism — the "Forgot password?" link is hidden and the backend silently skips email-based reset. Users had to delete db.sqlite to recover, losing all data.

Changes:

• cli/nao_core/commands/reset_password.py — New command: resolves SQLite DB, prompts for email + new password, validates strength, hashes with scrypt (matching better-auth), updates account.password and clears requires_password_reset flag
• cli/nao_core/commands/__init__.py — Export the new command
• cli/nao_core/main.py — Register with cyclopts CLI
• cli/tests/nao_core/commands/test_reset_password.py — 24 tests covering validation, hashing, DB path resolution, and full command flow

Manual Testing

Prerequisites: Have a running nao instance with at least one email/password user.

# Step 1: Run the command
nao reset-password

# Step 2: Enter the email of the user whose password you want to reset
# Step 3: Enter and confirm the new password (must include uppercase, lowercase, number, and special character)
# Step 4: Confirm the reset when prompted
# Step 5: Log in with the new password at http://localhost:3000

Expected output:

🔑 Password Reset

✔ Found database at /path/to/db.sqlite
✔ Found user: User Name (user@example.com)
? New password: ********
? Confirm password: ********
? Reset password for User Name (user@example.com)? Yes
✔ Password has been reset. You can now log in with your new password.

Test Cases to Verify

#	Scenario	Expected
1	Valid email + strong password	Password updated, login works
2	Non-existent email	Error: "No user found with email"
3	Google/GitHub OAuth user	Error: "does not use password authentication"
4	Weak password (e.g. "password")	Warning + retry loop
5	Password mismatch	Warning + retry loop
6	Decline confirmation	"Cancelled", password unchanged
7	Ctrl+C during prompt	Clean exit, password unchanged

Screenshots

[github-actions]

🚀 Preview Deployment

URL	https://pr-583-646c566.preview.getnao.io
Commit	646c566

⚠️ No LLM API keys configured - you'll see the API key setup flow when trying to chat.

---

_{Preview will be automatically removed when this PR is closed.}

[Copilot]

Pull request overview

Adds a local-only password recovery path by introducing a nao reset-password CLI command that updates a user’s credential password directly in the SQLite database (bypassing SMTP), along with tests and CLI registration.

Changes:

• Added reset_password command implementation (DB path resolution, password validation, scrypt hashing, DB updates).
• Registered the new command in the CLI command registry and main app entrypoint.
• Added a comprehensive pytest suite for hashing, validation, DB path resolution, and command flows.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cli/nao_core/commands/reset_password.py	Implements the reset-password command logic (SQLite lookup + password update).
cli/nao_core/commands/__init__.py	Exports the new reset_password command.
cli/nao_core/main.py	Registers the new command with the cyclopts app.
cli/tests/nao_core/commands/test_reset_password.py	Adds unit/integration-style tests covering the new command and helpers.
scratch/test-email.ts	Adds an SMTP test script (appears unrelated to the PR goal).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cubic-dev-ai]

No issues found across 5 files

[cubic-dev-ai]

1 issue found across 3 files (changes from recent commits).

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="cli/nao_core/commands/reset_password.py">

<violation number="1" location="cli/nao_core/commands/reset_password.py:142">
P2: sqlite3.connect is executed before the try/except, so connection failures bypass the new sqlite3.Error handler and raise uncaught exceptions. Move the connection into the try (and guard the finally close) to ensure DB open errors are handled gracefully.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[socallmebertille]

Thanks for your contribution ! If you could juste rebase on main it would be great ! 👍

[Rish-it]

@socallmebertille branch has updated with latest main